Tails

#1 Updated by intrigeri 2018-06-15 06:51:34

• related to Bug #15602: Fix EFAIL added

#2 Updated by intrigeri 2018-06-15 06:51:43

• blocks Feature #15334: Core work 2018Q3: Foundations Team added

#3 Updated by intrigeri 2018-08-04 01:06:31

• Target version changed from Tails_3.9 to Tails_3.10.1

We currently have 2.0.7-2 on our devel branch. The only user-visible changes up to, and including, 2.0.7+ds1-1, are:

• “avoid using and shipping OpenPGP.js”: if we take it, it’ll require very careful testing
• “update dependency on GnuPG to account for important bugfixes needed to replace OpenPGP.js” i.e. Depends: gnupg (>= 2.2.8-2~), which is not available for Stretch

I see no immediate benefit in upgrading in Tails 3.9 and it requires backporting a newer gnupg, which is not exactly tempting. So let’s stick to 2.0.7-2 for Tails 3.9 and come back to it later. It would be sweet if we could simply do that all the way during the Tails 3.x series, and upgrade only in Tails 4.0. But I think enigmail will need to be upgraded in Debian stable for compatibility with Thunderbird 60 so we’ll see.

#4 Updated by intrigeri 2018-08-04 01:06:49

• blocks Feature #15506: Core work 2018Q4: Foundations Team added

#5 Updated by intrigeri 2018-08-04 01:06:53

• blocked by deleted (Feature #15334: Core work 2018Q3: Foundations Team)

#6 Updated by intrigeri 2018-09-19 12:14:26

• Target version changed from Tails_3.10.1 to Tails_3.12

Given:

• 2:2.0.7+ds1-1 to 2.0.8-1 introduce a regression in Autocrypt: https://bugs.debian.org/908510
• Recent Enigmail packages (that don’t include OpenPGP.js) depend on a newer GnuPG, that’s in stretch-backports: https://bugs.debian.org/909000

I don’t think we should do the upgrade in a bugfix release => postponing to next major version.

#7 Updated by intrigeri 2018-09-19 12:14:37

• blocked by deleted (Feature #15506: Core work 2018Q4: Foundations Team)

#8 Updated by intrigeri 2018-09-19 12:14:57

• blocks Feature #15507: Core work 2019Q1: Foundations Team added

#9 Updated by intrigeri 2018-11-07 15:36:41

• related to Feature #15923: Autocrypt forces unencrypted messages added

#11 Updated by intrigeri 2018-11-12 12:45:21

• related to Bug #16120: devel branch FTBFS since Enigmail 2:2.0.8-5~deb9u1 reached Stretch added

#12 Updated by intrigeri 2018-12-03 15:47:35

• Assignee deleted (intrigeri)

#13 Updated by hefee 2018-12-03 15:57:25

• Assignee set to hefee

#14 Updated by hefee 2018-12-13 17:59:39

• Assignee changed from hefee to intrigeri
• Estimated time set to 2 h
• QA Check set to Info Needed

• Where is this version 2:2.0.7+ds1-1 coming from?
• Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?
• how do I can test a new enigmail version in an iso?

Debian has now shipped 2:2.0.8-5~deb9u1 in stretch and bts is not mentioning any new issues. So it sounds like a valid candidate to use.

checking enigmail itself:
- 2.0.8:

• 891 Move Enigmail Header above Reply/Forward/… Buttons important to not spoof valid encrypted mails
• 893 Efail: don’t block decryption of mixed content entirely
• 863 Valid Signature not shown green

- 2.0.9:

• 933 Autocrypt overrules manually created Per-Recipient Rules (our raised issue from Feature #15923)

plus enigmail bugtracker don’t have open issues, that makes me step back.

#15 Updated by intrigeri 2018-12-17 15:55:13

• Assignee changed from intrigeri to hefee
• QA Check changed from Info Needed to Dev Needed

> * Where is this version 2:2.0.7+ds1-1 coming from?

https://tracker.debian.org/news/972292/accepted-enigmail-2207ds1-1-source-into-unstable/

> * Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?

We’ve shipped 2:2.0.7-2 in Tails 3.11. It comes from our custom APT repository.

> * how do I can test a new enigmail version in an iso?

Either build a new ISO that pulls the version you want (how to do so exactly fully depends on which version you want), or install the new package in a running Tails. But perhaps that’s not what you were asking?

#19 Updated by Anonymous 2019-01-14 09:39:46

• Status changed from Confirmed to In Progress

Applied in changeset commit:tails|83b10d142f943e1be2e383ab140154f3c5f28334.

#20 Updated by hefee 2019-01-14 09:45:17

• QA Check deleted (Dev Needed)
• Feature Branch set to hefee/bugfix/16186-disable-autocrypt+force-all-tests

#21 Updated by hefee 2019-01-14 10:44:52

• QA Check set to Ready for QA

Tests done on vm by hand:

• register a new account
• write an encrypted mail and read an encrypted one
• used key management to download one key
• made sure, that Autocrypt is disabled by default

I bundled Feature #15661, Feature #16299, Feature #15657 and Feature #16222, as a new Enigmail version and a new torbirdy version made sense to test together.

#22 Updated by intrigeri 2019-01-14 10:54:59

• Assignee changed from hefee to intrigeri

#23 Updated by intrigeri 2019-01-14 11:30:04

• Assignee changed from intrigeri to hefee
• QA Check changed from Ready for QA to Dev Needed

I understand we now want the version that’s in Stretch, currently: 2:2.0.8-5~deb9u1.

Wrt. commit:83b10d142f943e1be2e383ab140154f3c5f28334, it’s currently a no-op so you can as well revert it to avoid confusion and to avoid having to fix the next issues, which I’ll document anyway as a way to share information:

• Unless I’m mistaken, this will install the version in Stretch even if there’s a newer version in the Stretch security repo, which would be bad. That’s why, when we need to ensure the version we have in our custom APT repo is not installed, we pin that one to –1 (see e.g. how we deal with gdk-pixbuf) and let our general settings apply. In this case, this approach would also better convey the fact that enigmail shall be handled as part of the general case, not as a corner case.
• We try to order this file with exceptions first and general settings last. I see this was not respected for electrum but let’s not make it worse :)

#24 Updated by hefee 2019-01-14 12:31:17

• Assignee changed from hefee to intrigeri
• QA Check changed from Dev Needed to Ready for QA

updated branch. Please review again.

#25 Updated by intrigeri 2019-01-14 14:55:29

• Assignee changed from intrigeri to hefee
• QA Check changed from Ready for QA to Dev Needed

It seems that thunderbird_profile_is_new() does not work anymore: there’s now a extensions.json but no extensions.ini. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I’d rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!

#26 Updated by hefee 2019-01-14 17:44:36

• Assignee changed from hefee to intrigeri
• QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:
> It seems that thunderbird_profile_is_new() does not work anymore: there’s now a extensions.json but no extensions.ini. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I’d rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!

Fixed.

#27 Updated by intrigeri 2019-01-14 19:53:58

• % Done changed from 0 to 100
• QA Check changed from Ready for QA to Pass

Tested, confirmed!

#28 Updated by intrigeri 2019-01-14 19:56:17

• Status changed from In Progress to Fix committed

Applied in changeset commit:tails|c293b92386617399021f7ddfbf745ac9307c99e9.

#29 Updated by intrigeri 2019-01-14 19:57:03

• Assignee deleted (intrigeri)

#30 Updated by anonym 2019-01-30 11:48:50

• Status changed from Fix committed to Resolved