Re: [Tails-dev] Security of Thunderbird in Tails

[David A. Wheeler via Tails-dev]

> On Aug 31, 2025, at 6:22 AM, Topi Toosi via Tails-dev <tails-dev@boum.org> 
> wrote:
> 
> Hi,
> 
> I would like to raise a point about the security of the Thunderbird software 
> in Tails.
> 
> Due to the Tails release scheduling the thunderbird package in Tails is 
> almost always one release behind the current version.

I'm not a member of the Tails release group. However, this doesn't seem to be 
specific to Thunderbird or Tails. This is, in some sense, the inevitable result 
of being a distribution, that is, packaging software developed by many others 
who have their own schedule.


> This means that Thunderbird in Tails almost always contains known security 
> vulnerabilities.
> 
> Granted - most of the time Thunderbird vulnerabilities "cannot be exploited 
> through email in the Thunderbird product because scripting is disabled when 
> reading mail, but are potentially risks in browser or browser-like contexts"  
> - as the Mozilla security advisories put it.
> 
> However this is not the case every month.

If it's not vulnerable for its intended & reasonably expected uses... it's not 
vulnerable for them.

If it *is* vulnerable to expected use (e.g., merely receiving & reading an 
email would cause a takeover), I'd hope that the Tails team would do an 
emergency release.

I can imagine them doing some other things to compensate:
* making it easier to update from Debian directly
* working with Debian to compile with more hardening flags, to make it harder 
to attack
* sandboxing Thunderbird

But making a distro & testing it takes time, and that's fundamental. No 
schedule would be good for everyone I suspect.

--- David A. Wheeler
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to 
tails-dev-unsubscr...@boum.org.