David A. Wheeler:
I'm not a member of the Tails release group. However, this doesn't seem to be specific to Thunderbird or Tails. This is, in some sense, the inevitable result of being a distribution, that is, packaging software developed by many others who have their own schedule.
The problem is specific to Thunderbird in that the security updates for it are typically released by Mozilla on the same day as the updates for Firefox.
As Tails releases follow the Firefox update cycle, but Thunderbird is not updated at the same time, Thunderbird is almost always one release behind. I.e. there is no time when there are no publicly known vulnerabilities in the Tails version of Thunderbird.
If it *is* vulnerable to expected use (e.g., merely receiving & reading an email would cause a takeover), I'd hope that the Tails team would do an emergency release.
To my knowledge Tails has never had an emergency release related to Thunderbird. Even when there have been vulnerabilities in Thunderbird which would have compromised the anonymity of the users.
I can imagine them doing some other things to compensate: * making it easier to update from Debian directly * working with Debian to compile with more hardening flags, to make it harder to attack * sandboxing Thunderbird
Agreed. I would hope that actions such as these would be taken and documented somewhere.
Cheers, Topi
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
