Hi, for our inclusion of Thunderbird/Icedove in Tails, we were concerned we might be always shipping a MUA that has known critical security issues, and always fix stuff 6 weeks late. This is why we started investigating Icedove release timing in Debian, tracked on https://labs.riseup.net/code/issues/10753. TL;DR: Thunderbird is not always released at the same time as FF, and it can take N days (mostly 7 to 10) to have a new upstream release in Debian. This is due to language support and many Debian specific patches which have not been upstreamed, although the Icedove team would like to do so (any takers?)
This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) keep sticking to the current Firefox release schedule every 6 weeks. (a) wquld imply that Tails users could be affected by known FF security issues for N more days every 6 weeks. (b) implies that we need to look for counter-measures to Icedove being subject to known security issues. So how do we balance security for www / security for email? It seems hard to judge how much these security issues affect Thunderbird, e.g. some MFSAs [https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/] probably affect Thunderbird, but as far as we know nobody checked this yet. >From our current knowledge, we should probably rather stick to the actual Tails release schedule, and do b). I've previously discussed this only with intrigeri - but this is bigger than us, hence this email as a call for wider input from other people :) What exact counter measures can we think of? FTR, we ship Icedove from Debian repositories since Tails 1.7. Cheers! u. _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.