This would require an override-pull scriptlet.
** Changed in: thunderbird (Ubuntu)
Status: New => Confirmed
** Changed in: thunderbird (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1965664
Title:
Safer way to build Thunderbird snap
Status in thunderbird package in Ubuntu:
Confirmed
Bug description:
Hello dear Canonical team,
the offered Thunderbird snap uses only HTTPS to secure the download of
Thunderbird itself and its language packs. At least I found this snapcraft.yaml
proving it:
https://git.launchpad.net/~desktop-snappers/thunderbird/+git/snap/tree/snapcraft.yaml?h=stable
Due to recent attacks against HTTPS by changing network routes and
creating new trusted certificates for official domains [1], HTTPS
alone is not trustworthy anymore. Could you please integrate a check
of the SHA512SUMS (an additional GPG check would be the best of course
but is maybe not so easy to implement) after downloading Thunderbird
itself and all the language packs? The same is already done for the
Chromium snap as far as I could see.
Thank you very much!
[1] https://medium.com/s2wblog/post-mortem-of-klayswap-incident-
through-bgp-hijacking-en-3ed7e33de600
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1965664/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
