Re: [Tails-dev] Icedove security updates / Tails release schedule
u wrote (12 Jan 2016 16:04:47 GMT) : > Also, we should investigate how to better keep track of MFSAs and other > security announcements (even prior to them being posted on > debian-security). Some of us read FD or debian-security I think, but > maybe we can track this in a more efficient manner? I loosely follow oss-security and commits to Debian's secure-testing repo. I've rarely seen advance notice of security issues/fixes in Mozilla software via these channels. So, tracking MFSAs seems to be the best we can do with only public information. AFAIK nobody from Tails is on the "private" list where Linux distros discuss embargoed security issues. Wrt. Firefox, so far we've received heads up in advance from the Tor Browser team. I guess similar ties with upstream Thunderbird could be built and result in similar heads up. Cheers! -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Hi, I'd like to sum up the discussion a little bit and move on to the next steps. sajolida: > intrigeri: >> > I'm replying to "the severity of the options above", regarding >> > option b. >> > >> > Let's keep in mind that other email clients we used to ship, or could >> > choose to ship haven't synchronized their release schedule with >> > Firefox either; Ditto for most other software we ship, actually. So, >> > the "security updates are delayed a bit" problem is neither news here, >> > nor specific to Icedove. >> > >> > It *is* a serious problem, however. The long-term solution we've put >> > our odds on so far, that will work regardless of what email client we >> > ship, is to streamline our release process so that we can, some day, >> > put out (smaller) updates more often. This is one of the main reasons >> > why we've been putting so much efforts into our automated test suite >> > lately :) > So I'd say we keep an eye on their security announcement, be ready for > an emergency upgrade the day it's really needed, and in the meantime > keep on working on streamlining our release process and having endless > upgrades (#7499, #8534, or whatever). I think it's clear now that we'll simply stick to the Firefox/TBB release schedule and treat Icedove exactly in the same way as other software we ship. As said, if anybody feels like helping the Icedove packaging team to get Icedove into Debian faster, they'd require help with upstreaming Debian patches of the package. Next steps: We can make using the email client more secure by adding an AppArmor profile. I've started investigating this with some help from jvoisin. As always, we want to try to not create too much delta with upstream and so it seems useful to actually use a profile which will be included there anyway. This is tracked by https://labs.riseup.net/code/issues/10750. I still need to find out when/if this profile goes upstream and ask the Debian AppArmor Team to include this into the corresponding package (or do that myself as I am also part of this team). Also, we should investigate how to better keep track of MFSAs and other security announcements (even prior to them being posted on debian-security). Some of us read FD or debian-security I think, but maybe we can track this in a more efficient manner? Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, intrigeri: I think our design doc has lots of info about this kind of things, that should answer the first batch of questions: https://tails.boum.org/contribute/design/ Some bits are probably unclear, so feel free to ask. Keep in mind that these docs are meant for a technical audience. Awesome; thanks! Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Spencer wrote (05 Jan 2016 23:24:27 GMT) : > Is there documentation on these so I can read and minimize questions? I think our design doc has lots of info about this kind of things, that should answer the first batch of questions: https://tails.boum.org/contribute/design/ Some bits are probably unclear, so feel free to ask. Keep in mind that these docs are meant for a technical audience. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, intrigeri: The "security check" mechanism was drafted in February, 2010. The Upgrader took over some of its functionality in Tails 0.22.1, almost two years ago now :) Is there documentation on these so I can read and minimize questions? Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Spencer wrote (05 Jan 2016 17:43:58 GMT) : > What version can this functionality be found in? The "security check" mechanism was drafted in February, 2010. The Upgrader took over some of its functionality in Tails 0.22.1, almost two years ago now :) ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, u: Tails contains a mechanism that, at boot time, executes a check for upgrades. This could be used to display warnings if there is indeed a security issue, and has been used for this in the past. What version can this functionality be found in? Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, intrigeri: Let's keep in mind that the "security updates are delayed a bit" problem is neither news here, nor specific to Icedove. sajolida: To put it differently, Firefox is the only software we ship that is synchronized with our release schedule :) Understood. Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
intrigeri: > I'm replying to "the severity of the options above", regarding > option b. > > Let's keep in mind that other email clients we used to ship, or could > choose to ship haven't synchronized their release schedule with > Firefox either; Ditto for most other software we ship, actually. So, > the "security updates are delayed a bit" problem is neither news here, > nor specific to Icedove. > > It *is* a serious problem, however. The long-term solution we've put > our odds on so far, that will work regardless of what email client we > ship, is to streamline our release process so that we can, some day, > put out (smaller) updates more often. This is one of the main reasons > why we've been putting so much efforts into our automated test suite > lately :) Same here. To put it differently, Firefox is the only software we ship that is synchronized with our release schedule :) Icedove might deserve more attention than, let's say GtkHash, but other ones might be as serious, for example Pidgin, I2P, Electrum, or Enigmail itself. So I'd say we keep an eye on their security announcement, be ready for an emergency upgrade the day it's really needed, and in the meantime keep on working on streamlining our release process and having endless upgrades (#7499, #8534, or whatever). ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Hi, Dean Pierce: > Would it be blasphemous to run some sort of software update at boot? > Ideally some sort of very visible indicator displaying the date of the > most recent security update would be nice too. I feel like these > vulnerability gaps are inevitable, and trying to avoid them with > tricky scheduling would just make release schedules overly complex, > and even then it doesn't really help much against an adversary who > isn't bound to such schedules. Tails contains a mechanism that, at boot time, executes a check for upgrades. This could be used to display warnings if there is indeed a security issue, and has been used for this in the past. Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Spencer wrote (04 Jan 2016 19:41:29 GMT) : >> u: >> TL;DR: Thunderbird is not always released at the same time as FF, >> >> This implies that we have to choose between >> a) delay Tails releases to get the new Icedove; or >> b) [Risk security by] sticking to the current Firefox release schedule every >> 6 weeks. > With all due respect to Mozilla devs and all those here involved in making the > decision to migrate to Icedove, this seems like quite the effort for > un(der)usable > and bloated software, especially given the severity of the options above. I'm replying to "the severity of the options above", regarding option b. Let's keep in mind that other email clients we used to ship, or could choose to ship haven't synchronized their release schedule with Firefox either; Ditto for most other software we ship, actually. So, the "security updates are delayed a bit" problem is neither news here, nor specific to Icedove. It *is* a serious problem, however. The long-term solution we've put our odds on so far, that will work regardless of what email client we ship, is to streamline our release process so that we can, some day, put out (smaller) updates more often. This is one of the main reasons why we've been putting so much efforts into our automated test suite lately :) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, Dean Pierce: run some sort of software update at boot? ..visible indicator This ,and other similar things, would be a nice experience that establishes and enforces trust. I wonder what the technical implications are. trying to avoid them Prolongs the inevitable. Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Would it be blasphemous to run some sort of software update at boot? Ideally some sort of very visible indicator displaying the date of the most recent security update would be nice too. I feel like these vulnerability gaps are inevitable, and trying to avoid them with tricky scheduling would just make release schedules overly complex, and even then it doesn't really help much against an adversary who isn't bound to such schedules. - DEAN On Mon, Jan 4, 2016 at 11:41 AM, Spencer wrote: > Hi, > >> >> u: >> TL;DR: Thunderbird is not always released at the same time as FF, >> >> This implies that we have to choose between >> a) delay Tails releases to get the new Icedove; or >> b) [Risk security by] sticking to the current Firefox release schedule >> every 6 weeks. >> > > With all due respect to Mozilla devs and all those here involved in making > the decision to migrate to Icedove, this seems like quite the effort for > un(der)usable and bloated software, especially given the severity of the > options above. > > None of these are desired experiences :( > > Wordlife, > Spencer > > > > > ___ > Tails-dev mailing list > Tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to > tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, u: TL;DR: Thunderbird is not always released at the same time as FF, This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) [Risk security by] sticking to the current Firefox release schedule every 6 weeks. With all due respect to Mozilla devs and all those here involved in making the decision to migrate to Icedove, this seems like quite the effort for un(der)usable and bloated software, especially given the severity of the options above. None of these are desired experiences :( Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, for our inclusion of Thunderbird/Icedove in Tails, we were concerned we might be always shipping a MUA that has known critical security issues, and always fix stuff 6 weeks late. This is why we started investigating Icedove release timing in Debian, tracked on https://labs.riseup.net/code/issues/10753. TL;DR: Thunderbird is not always released at the same time as FF, and it can take N days (mostly 7 to 10) to have a new upstream release in Debian. This is due to language support and many Debian specific patches which have not been upstreamed, although the Icedove team would like to do so (any takers?) This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) keep sticking to the current Firefox release schedule every 6 weeks. (a) wquld imply that Tails users could be affected by known FF security issues for N more days every 6 weeks. (b) implies that we need to look for counter-measures to Icedove being subject to known security issues. So how do we balance security for www / security for email? It seems hard to judge how much these security issues affect Thunderbird, e.g. some MFSAs [https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/] probably affect Thunderbird, but as far as we know nobody checked this yet. >From our current knowledge, we should probably rather stick to the actual Tails release schedule, and do b). I've previously discussed this only with intrigeri - but this is bigger than us, hence this email as a call for wider input from other people :) What exact counter measures can we think of? FTR, we ship Icedove from Debian repositories since Tails 1.7. Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Seems my mail has not reached the list yesterday.. Forwarded Message Subject: Icedove security updates / Tails release schedule Date: Sun, 03 Jan 2016 20:05:05 + To: The Tails public development discussion list Hi, for our inclusion of Thunderbird/Icedove in Tails, we were concerned we might be always shipping a MUA that has known critical security issues, and always fix stuff 6 weeks late. This is why we started investigating Icedove release timing in Debian, tracked on https://labs.riseup.net/code/issues/10753. TL;DR: Thunderbird is not always released at the same time as FF, and it can take N days (mostly 7 to 10) to have a new upstream release in Debian. This is due to language support and many Debian specific patches which have not been upstreamed, although the Icedove team would like to do so (any takers?) This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) keep sticking to the current Firefox release schedule every 6 weeks. (a) wquld imply that Tails users could be affected by known FF security issues for N more days every 6 weeks. (b) implies that we need to look for counter-measures to Icedove being subject to known security issues. So how do we balance security for www / security for email? It seems hard to judge how much these security issues affect Thunderbird, e.g. some MFSAs [https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/] probably affect Thunderbird, but as far as we know nobody checked this yet. >From our current knowledge, we should probably rather stick to the actual Tails release schedule, and do b). I've previously discussed this only with intrigeri - but this is bigger than us, hence this email as a call for wider input from other people :) What exact counter measures can we think of? FTR, we ship Icedove from Debian repositories since Tails 1.7. Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
