Tails

#1 Updated by intrigeri 2017-06-13 06:26:11

52.1.1-1 has no security fixed that 45.8.0 would lack, so let’s wait for a newer release.

#2 Updated by intrigeri 2017-06-15 06:06:45

52.2 is out, and here’s the MFSA: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/. It has a header that reads “In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.” which sounds good, except… i n general. Looking closer, indeed most of these bugs seem impossible to exploit in our default Thunderbird configuration (raw-text body, no HTML). So I think we could reasonably stick to our current Thunderbird packages for Tails 3.1. Still, once 52.2 is available in Debian (and I bet it’ll make it into the Stretch security repo) we should give it a try: if the upgrade is simple, let’s be on the safe side and better protect even those of our users who need to read HTML email occasionally. So I’ll keep this ticket on my radar for a little bit longer.

#6 Updated by intrigeri 2017-07-26 19:19:48

icedove 1:52.2.1-4~deb9u1 entered NEW, which should make it easier to update our custom package.

#8 Updated by intrigeri 2017-07-29 07:04:23

When doing this we’ll need to ensure we thaw the enigmail version that Bug #13530 will add to our custom APT repo, and switch to the current version in stretch/updates (security repo).

#11 Updated by intrigeri 2017-09-13 12:32:18

52.3.0-4~deb9u1 was uploaded to stretch/security two days ago.

#14 Updated by intrigeri 2017-09-14 16:21:26

Added two fixes (commit:c485d4653685d0e1c393a035ae4de63359f8be23 and commit:2c7e4969f2c22d3897297895f8cc6ad106912724) on top. I admit I didn’t test these changes but oh well: one typo in a comment and indentation fixes. Other than that, code review passes.

Congrats (again) for automating the Enigmail version update!

Wrt. the release process update:

• Good that you’ve improved it! Looks like the work I did on this documentation in June raised your expectations up to the “I should be able to follow this doc and things should just work” level, which is exactly how it should be :)
• I’d rather see the full Debian package version (including epoch) used in $VERSION instead of assuming the epoch will be “1” forever and hardcoding it everywhere else (that’s not a regression brought by your branch, I just noticed it in the diff).
• "thunderbird Debian release 1:${TAILS_VERSION:?}" seems wrong: we’re releasing this to Tails, not to Debian.

I don’t get this change (if --follow-tags is not enough, then likely the tag doesn’t point to the right place, so perhaps we’d better not push it):

-        git push --follow-tags origin tails/stretch && \
+        git push --follow-tags origin ${NEW_GBP_TAG:?} tails/stretch && \

None of this is a blocker, of course.

I’ll now test manually and will hopefully merge by 7pm CEST.

#15 Updated by intrigeri 2017-09-14 17:12:36

Tested using a profile that was previously configured on an older Tails, works fine. Deleted profile.default, and then the account setup wizard triggers and works as expected. I can read email over IMAP and send email. I tested Enigmail a bit since we got a new version: I could create a keypair, send encrypted email and read encrypted email. Going to merge!

Clicking a HTTPS URL doesn’t immediately open Tor Browser: instead I see a dialog that allows me to choose an application; thankfully Tor Browser is the default and works fine. I see the same behaviour on 3.1, but perhaps it should be treated as a bug? Please file a ticket if that’s not done on purpose or already tracked elsewhere. Certainly not an emergency (don’t even bother assigning it to anyone) but still.