Hi, I'd like to sum up the discussion a little bit and move on to the next steps.
sajolida: > intrigeri: >> > I'm replying to "the severity of the options above", regarding >> > option b. >> > >> > Let's keep in mind that other email clients we used to ship, or could >> > choose to ship haven't synchronized their release schedule with >> > Firefox either; Ditto for most other software we ship, actually. So, >> > the "security updates are delayed a bit" problem is neither news here, >> > nor specific to Icedove. >> > >> > It *is* a serious problem, however. The long-term solution we've put >> > our odds on so far, that will work regardless of what email client we >> > ship, is to streamline our release process so that we can, some day, >> > put out (smaller) updates more often. This is one of the main reasons >> > why we've been putting so much efforts into our automated test suite >> > lately :) > So I'd say we keep an eye on their security announcement, be ready for > an emergency upgrade the day it's really needed, and in the meantime > keep on working on streamlining our release process and having endless > upgrades (#7499, #8534, or whatever). I think it's clear now that we'll simply stick to the Firefox/TBB release schedule and treat Icedove exactly in the same way as other software we ship. As said, if anybody feels like helping the Icedove packaging team to get Icedove into Debian faster, they'd require help with upstreaming Debian patches of the package. Next steps: We can make using the email client more secure by adding an AppArmor profile. I've started investigating this with some help from jvoisin. As always, we want to try to not create too much delta with upstream and so it seems useful to actually use a profile which will be included there anyway. This is tracked by https://labs.riseup.net/code/issues/10750. I still need to find out when/if this profile goes upstream and ask the Debian AppArmor Team to include this into the corresponding package (or do that myself as I am also part of this team). Also, we should investigate how to better keep track of MFSAs and other security announcements (even prior to them being posted on debian-security). Some of us read FD or debian-security I think, but maybe we can track this in a more efficient manner? Cheers! u. _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
