Feature #15657
Check which version of Enigmail we should ship
100%
Description
For Bug #15602 we’re going to import Enigmail from sid into our custom APT repo (our freeze exception process). For 3.9 and later we should check whether we can install that package from stretch-security, or from sid, or update it in our custom APT repo, or something.
Subtasks
Related issues
Related to Tails - |
Resolved | 2018-05-14 | |
Related to Tails - |
Resolved | 2018-12-03 | |
Related to Tails - |
Resolved | 2018-11-12 | |
Blocks Tails - |
Resolved | 2018-04-08 |
History
#1 Updated by intrigeri 2018-06-15 06:51:34
- related to
Bug #15602: Fix EFAIL added
#2 Updated by intrigeri 2018-06-15 06:51:43
- blocks
Feature #15334: Core work 2018Q3: Foundations Team added
#3 Updated by intrigeri 2018-08-04 01:06:31
- Target version changed from Tails_3.9 to Tails_3.10.1
We currently have 2.0.7-2 on our devel branch. The only user-visible changes up to, and including, 2.0.7+ds1-1, are:
- “avoid using and shipping OpenPGP.js”: if we take it, it’ll require very careful testing
- “update dependency on GnuPG to account for important bugfixes needed to replace OpenPGP.js” i.e.
Depends: gnupg (>= 2.2.8-2~)
, which is not available for Stretch
I see no immediate benefit in upgrading in Tails 3.9 and it requires backporting a newer gnupg, which is not exactly tempting. So let’s stick to 2.0.7-2 for Tails 3.9 and come back to it later. It would be sweet if we could simply do that all the way during the Tails 3.x series, and upgrade only in Tails 4.0. But I think enigmail will need to be upgraded in Debian stable for compatibility with Thunderbird 60 so we’ll see.
#4 Updated by intrigeri 2018-08-04 01:06:49
- blocks
Feature #15506: Core work 2018Q4: Foundations Team added
#5 Updated by intrigeri 2018-08-04 01:06:53
- blocked by deleted (
)Feature #15334: Core work 2018Q3: Foundations Team
#6 Updated by intrigeri 2018-09-19 12:14:26
- Target version changed from Tails_3.10.1 to Tails_3.12
Given:
- 2:2.0.7+ds1-1 to 2.0.8-1 introduce a regression in Autocrypt: https://bugs.debian.org/908510
- Recent Enigmail packages (that don’t include
OpenPGP.js
) depend on a newer GnuPG, that’s in stretch-backports: https://bugs.debian.org/909000
I don’t think we should do the upgrade in a bugfix release => postponing to next major version.
#7 Updated by intrigeri 2018-09-19 12:14:37
- blocked by deleted (
)Feature #15506: Core work 2018Q4: Foundations Team
#8 Updated by intrigeri 2018-09-19 12:14:57
- blocks
Feature #15507: Core work 2019Q1: Foundations Team added
#9 Updated by intrigeri 2018-11-07 15:36:41
- related to
Feature #15923: Autocrypt forces unencrypted messages added
#10 Updated by intrigeri 2018-11-07 15:39:05
intrigeri wrote:
> * Recent Enigmail packages (that don’t include OpenPGP.js
) depend on a newer GnuPG, that’s in stretch-backports
The required GnuPG changes made it into stable-pu (https://bugs.debian.org/910398) and will be in the next Stretch point-release, which our devel branch will pick up and that we’ll have in Tails 3.12. So let’s deal with all the Enigmail/Autocrypt/GnuPG stuff together once the Stretch point release is out.
#11 Updated by intrigeri 2018-11-12 12:45:21
- related to
Bug #16120: devel branch FTBFS since Enigmail 2:2.0.8-5~deb9u1 reached Stretch added
#12 Updated by intrigeri 2018-12-03 15:47:35
- Assignee deleted (
intrigeri)
#13 Updated by hefee 2018-12-03 15:57:25
- Assignee set to hefee
#14 Updated by hefee 2018-12-13 17:59:39
- Assignee changed from hefee to intrigeri
- Estimated time set to 2 h
- QA Check set to Info Needed
- Where is this version 2:2.0.7+ds1-1 coming from?
- Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?
- how do I can test a new enigmail version in an iso?
Debian has now shipped 2:2.0.8-5~deb9u1 in stretch and bts is not mentioning any new issues. So it sounds like a valid candidate to use.
checking enigmail itself:
- 2.0.8:
- 891 Move Enigmail Header above Reply/Forward/… Buttons important to not spoof valid encrypted mails
- 893 Efail: don’t block decryption of mixed content entirely
- 863 Valid Signature not shown green
- 2.0.9:
- 933 Autocrypt overrules manually created Per-Recipient Rules (our raised issue from
Feature #15923)
plus enigmail bugtracker don’t have open issues, that makes me step back.
#15 Updated by intrigeri 2018-12-17 15:55:13
- Assignee changed from intrigeri to hefee
- QA Check changed from Info Needed to Dev Needed
> * Where is this version 2:2.0.7+ds1-1 coming from?
https://tracker.debian.org/news/972292/accepted-enigmail-2207ds1-1-source-into-unstable/
> * Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?
We’ve shipped 2:2.0.7-2 in Tails 3.11. It comes from our custom APT repository.
> * how do I can test a new enigmail version in an iso?
Either build a new ISO that pulls the version you want (how to do so exactly fully depends on which version you want), or install the new package in a running Tails. But perhaps that’s not what you were asking?
#16 Updated by hefee 2018-12-17 20:11:36
> > * Where is this version 2:2.0.7+ds1-1 coming from?
> https://tracker.debian.org/news/972292/accepted-enigmail-2207ds1-1-source-into-unstable/
ah i missed that version.
> > * Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?
>
> We’ve shipped 2:2.0.7-2 in Tails 3.11. It comes from our custom APT repository.
But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top. Okay that makes it easier, as I have nothing to keep in mind while testing.
>
> > * how do I can test a new enigmail version in an iso?
>
> Either build a new ISO that pulls the version you want (how to do so exactly fully depends on which version you want), or install the new package in a running Tails. But perhaps that’s not what you were asking?
#17 Updated by intrigeri 2018-12-19 08:03:04
> But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top.
Exactly. We don’t hijack/reuse existing Debian package version numbers to ship different code, that would be very confusing. We always append something like .0tails1
when we patch a package.
#18 Updated by hefee 2018-12-19 12:58:47
intrigeri wrote:
> > But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top.
>
> Exactly. We don’t hijack/reuse existing Debian package version numbers to ship different code, that would be very confusing. We always append something like .0tails1
when we patch a package.
Yeah make sense :D It was just unclear for me as you said “stick to our package”, in my ears it sounded like a own modified package. But you meant only rebuild for Tails.
Than I can start with a simple test installing the new packages on a live Tails from Debian.
#19 Updated by Anonymous 2019-01-14 09:39:46
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|83b10d142f943e1be2e383ab140154f3c5f28334.
#20 Updated by hefee 2019-01-14 09:45:17
- QA Check deleted (
Dev Needed) - Feature Branch set to hefee/bugfix/16186-disable-autocrypt+force-all-tests
#21 Updated by hefee 2019-01-14 10:44:52
- QA Check set to Ready for QA
Tests done on vm by hand:
- register a new account
- write an encrypted mail and read an encrypted one
- used key management to download one key
- made sure, that Autocrypt is disabled by default
I bundled Feature #15661, Feature #16299, Feature #15657 and Feature #16222, as a new Enigmail version and a new torbirdy version made sense to test together.
#22 Updated by intrigeri 2019-01-14 10:54:59
- Assignee changed from hefee to intrigeri
#23 Updated by intrigeri 2019-01-14 11:30:04
- Assignee changed from intrigeri to hefee
- QA Check changed from Ready for QA to Dev Needed
I understand we now want the version that’s in Stretch, currently: 2:2.0.8-5~deb9u1.
Wrt. commit:83b10d142f943e1be2e383ab140154f3c5f28334, it’s currently a no-op so you can as well revert it to avoid confusion and to avoid having to fix the next issues, which I’ll document anyway as a way to share information:
- Unless I’m mistaken, this will install the version in Stretch even if there’s a newer version in the Stretch security repo, which would be bad. That’s why, when we need to ensure the version we have in our custom APT repo is not installed, we pin that one to –1 (see e.g. how we deal with
gdk-pixbuf
) and let our general settings apply. In this case, this approach would also better convey the fact that enigmail shall be handled as part of the general case, not as a corner case. - We try to order this file with exceptions first and general settings last. I see this was not respected for electrum but let’s not make it worse :)
#24 Updated by hefee 2019-01-14 12:31:17
- Assignee changed from hefee to intrigeri
- QA Check changed from Dev Needed to Ready for QA
updated branch. Please review again.
#25 Updated by intrigeri 2019-01-14 14:55:29
- Assignee changed from intrigeri to hefee
- QA Check changed from Ready for QA to Dev Needed
It seems that thunderbird_profile_is_new()
does not work anymore: there’s now a extensions.json
but no extensions.ini
. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion
is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I’d rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!
#26 Updated by hefee 2019-01-14 17:44:36
- Assignee changed from hefee to intrigeri
- QA Check changed from Dev Needed to Ready for QA
intrigeri wrote:
> It seems that thunderbird_profile_is_new()
does not work anymore: there’s now a extensions.json
but no extensions.ini
. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion
is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I’d rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!
Fixed.
#27 Updated by intrigeri 2019-01-14 19:53:58
- % Done changed from 0 to 100
- QA Check changed from Ready for QA to Pass
Tested, confirmed!
#28 Updated by intrigeri 2019-01-14 19:56:17
- Status changed from In Progress to Fix committed
Applied in changeset commit:tails|c293b92386617399021f7ddfbf745ac9307c99e9.
#29 Updated by intrigeri 2019-01-14 19:57:03
- Assignee deleted (
intrigeri)
#30 Updated by anonym 2019-01-30 11:48:50
- Status changed from Fix committed to Resolved