Feature #12639

Upgrade Thunderbird to 52.x

Added by intrigeri 2017-06-05 09:29:03 . Updated 2017-09-28 18:48:50 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Email Client
Deliverable for:


Tails 3.0 will ship Thunderbird 48.x. And icedove (1:52.1.1-1) just made it into the Debian NEW queue, woohoo! We should check if we have to upgrade to 52.x in Tails 3.1, or if this can wait until Tails 3.2, and draw plans accordingly. I’ll handle the initial assessment and will ask for help if needed.


Related issues

Related to Tails - Bug #13530: ISO builds are broken by weird enigmail situation Resolved 2017-07-29
Related to Tails - Bug #12680: Persistent Thunderbird blocks future 0000tails.js prefs changes Resolved 2017-06-10
Blocks Tails - Feature #13234: Core work 2017Q3: Foundations Team Resolved 2017-06-29


#1 Updated by intrigeri 2017-06-13 06:26:11

52.1.1-1 has no security fixed that 45.8.0 would lack, so let’s wait for a newer release.

#2 Updated by intrigeri 2017-06-15 06:06:45

52.2 is out, and here’s the MFSA: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/. It has a header that reads “In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.” which sounds good, except… i n general. Looking closer, indeed most of these bugs seem impossible to exploit in our default Thunderbird configuration (raw-text body, no HTML). So I think we could reasonably stick to our current Thunderbird packages for Tails 3.1. Still, once 52.2 is available in Debian (and I bet it’ll make it into the Stretch security repo) we should give it a try: if the upgrade is simple, let’s be on the safe side and better protect even those of our users who need to read HTML email occasionally. So I’ll keep this ticket on my radar for a little bit longer.

#3 Updated by intrigeri 2017-06-19 11:03:46

  • Assignee changed from intrigeri to anonym
  • Target version changed from Tails_3.1 to Tails_3.2

intrigeri wrote:
> we should give it a try: if the upgrade is simple, let’s be on the safe side and better protect even those of our users who need to read HTML email occasionally. So I’ll keep this ticket on my radar for a little bit longer.

I’ve tried it, and spent 3 hours following (and fixing) the release process doc; sadly, the resulting branch FTBFS. I’ve pushed all my work to Git.

So the upgrade is not as simple as I would have hoped => postponing to 3.2.

#4 Updated by intrigeri 2017-06-19 11:04:18

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/12639-thunderbird-52.2.0-1

#5 Updated by intrigeri 2017-06-29 10:33:02

#6 Updated by intrigeri 2017-07-26 19:19:48

icedove 1:52.2.1-4~deb9u1 entered NEW, which should make it easier to update our custom package.

#7 Updated by intrigeri 2017-07-29 07:03:30

  • related to Bug #13530: ISO builds are broken by weird enigmail situation added

#8 Updated by intrigeri 2017-07-29 07:04:23

When doing this we’ll need to ensure we thaw the enigmail version that Bug #13530 will add to our custom APT repo, and switch to the current version in stretch/updates (security repo).

#9 Updated by intrigeri 2017-09-02 10:44:13

  • Priority changed from Normal to Elevated

(Highlighting non-trivial tickets that have to be done in time for 3.2.)

#10 Updated by intrigeri 2017-09-07 08:31:35

  • related to Bug #12680: Persistent Thunderbird blocks future 0000tails.js prefs changes added

#11 Updated by intrigeri 2017-09-13 12:32:18

52.3.0-4~deb9u1 was uploaded to stretch/security two days ago.

#12 Updated by anonym 2017-09-13 16:15:58

  • Feature Branch changed from feature/12639-thunderbird-52.2.0-1 to feature/12639-thunderbird-52

#13 Updated by anonym 2017-09-14 15:30:43

  • Assignee changed from anonym to intrigeri
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA
  • The full thunderbird.feature passed on my system.
  • My manual testing also worked.

#14 Updated by intrigeri 2017-09-14 16:21:26

Added two fixes (commit:c485d4653685d0e1c393a035ae4de63359f8be23 and commit:2c7e4969f2c22d3897297895f8cc6ad106912724) on top. I admit I didn’t test these changes but oh well: one typo in a comment and indentation fixes. Other than that, code review passes.

Congrats (again) for automating the Enigmail version update!

Wrt. the release process update:

  • Good that you’ve improved it! Looks like the work I did on this documentation in June raised your expectations up to the “I should be able to follow this doc and things should just work” level, which is exactly how it should be :)
  • I’d rather see the full Debian package version (including epoch) used in $VERSION instead of assuming the epoch will be “1” forever and hardcoding it everywhere else (that’s not a regression brought by your branch, I just noticed it in the diff).
  • "thunderbird Debian release 1:${TAILS_VERSION:?}" seems wrong: we’re releasing this to Tails, not to Debian.

I don’t get this change (if --follow-tags is not enough, then likely the tag doesn’t point to the right place, so perhaps we’d better not push it):

-        git push --follow-tags origin tails/stretch && \
+        git push --follow-tags origin ${NEW_GBP_TAG:?} tails/stretch && \

None of this is a blocker, of course.

I’ll now test manually and will hopefully merge by 7pm CEST.

#15 Updated by intrigeri 2017-09-14 17:12:36

Tested using a profile that was previously configured on an older Tails, works fine. Deleted profile.default, and then the account setup wizard triggers and works as expected. I can read email over IMAP and send email. I tested Enigmail a bit since we got a new version: I could create a keypair, send encrypted email and read encrypted email. Going to merge!

Clicking a HTTPS URL doesn’t immediately open Tor Browser: instead I see a dialog that allows me to choose an application; thankfully Tor Browser is the default and works fine. I see the same behaviour on 3.1, but perhaps it should be treated as a bug? Please file a ticket if that’s not done on purpose or already tracked elsewhere. Certainly not an emergency (don’t even bother assigning it to anyone) but still.

#16 Updated by intrigeri 2017-09-14 17:18:01

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

Applied in changeset commit:bd566e8858f783439f5fdcb055c56d0f61b69a31.

#17 Updated by intrigeri 2017-09-14 17:18:38

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

#18 Updated by anonym 2017-09-28 18:48:50

  • Status changed from Fix committed to Resolved