Hi, We're not using this mailing often anymore but I think that the Electrum situation is complex and impacting enough to deserve it.
Thanks a lot to s7r for giving me very useful information to understand what's going on in #16421! If you're on this list, please correct me if I'm saying anything wrong here. I learned about all this today :) Summary of the situation ======================== Some weeks ago, some servers in the Electrum pool started to behave maliciously: they returned rogue error messages that were phishing attempts to instruct people to upgrade to a malware version of Electrum. See https://github.com/spesmilo/electrum/issues/4968 This was a phishing attack and not a vulnerability in Electrum itself. s7r analyzed on #16421 that Tails was not really concerned by this attack because upgrading and running the malware version on Tails was more complicated than on other operating systems and too unusual for Tails users to do it. We didn't communicate about this to our users and they wrote a lot to our help desk. As a 1st countermeasure, Electrum updated their software to prevent the display of the phishing message as rich text in version 3.3.2. But users were not updating fast enough to 3.3.2 and were still phished. So a few days ago, Electrum updated its *server* version to prevent older *client* versions (< 3.3.2) from connecting to them. Right now in Tails we have 3.1.3 which is displaying the phishing attack when connecting to old servers (if they are any left) and unable to connect to the updated servers that prevent the phishing attack. On the Debian side, it seems like the maintainer (Tristan Seligmann <[email protected]>) is missing in action. He's said to come back in mid-February on https://github.com/spesmilo/electrum/issues/5083 but hasn't commented neither on Debbug#912042 (which will get Electrum out of Buster) nor on Debbug#921688 (about the update itself). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912042 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921688 The official way of running Electrum from Linux is using an AppImage: https://electrum.org/#download s7r documented how to use it in Tails: https://blog.thestever.net/2019/02/26/upgrading-electrum-on-tails-to-3-3-4/ I tested it myself and it runs really fine. Seeing that, I could also understand why Electrum upstream is not super concerned about the state of the Debian package either. What shall we do? ================= Right now, the Electrum we distribute in Tails cannot connect to the Electrum servers. It's useless and we might as well get rid of it. s7r suggested we distribute the AppImage in Tails in #16564. I think the Foundation Team should follow up on this idea there. The Technical Writing team could document how to use the AppImage: - I would write a much simplified version of s7r tutorial but the Electrum persistent feature would still work. - People knowledgeable about OpenPGP could verify the AppImage with its OpenPGP signature. This documentation could go on https://tails.boum.org/doc/anonymous_internet/electrum/ with a bunch of warnings. If we decide not to ship the AppImage, we could also try to contact the Debian maintainer. We could also decide to not even document how to use an AppImage and then basically tell people that Electrum doesn't work anymore on Tails with not workaround. In terms of priorities for the project. I'm personally really not thrilled at the idea of spending a lot of time dealing with this situation. But I also guess that Electrum users are a good share of our user base and removing Electrum might make us loose users. Bitcoin users are also traditionally good donors and removing Electrum might make use loose donations. Related to that, it might also be worth it to clarify how much help desk should spend time on helping Electrum users, whether or not we decide to make their lives easy again or not. What shall we do? -- sajolida _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
