Bug #16037

Upgrade Thunderbird to 1:60.2.1-1

Added by intrigeri 2018-10-10 10:45:03 . Updated 2018-10-24 11:18:30 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2018-10-10
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Email Client
Deliverable for:

Description


Subtasks


Related issues

Blocks Tails - Feature #15506: Core work 2018Q4: Foundations Team Resolved 2018-04-08

History

#1 Updated by intrigeri 2018-10-10 10:45:11

#2 Updated by intrigeri 2018-10-10 15:40:05

  • Assignee set to CyrilBrulebois

Can you take this one? (Sorry I did not take notes at the FT meeting of who said they could take a little bit more work. I think in the future I’ll introduce the idea of note-taking at these meetings, limited to such critical info.)

#3 Updated by intrigeri 2018-10-20 11:02:14

Ping? I think you’ve got plenty of other work to do, so unless you tell me today that you want to handle this one and can put it in mergeable state by the end of the week, I’ll take it over tomorrow or Monday early morning.

#4 Updated by CyrilBrulebois 2018-10-20 18:06:32

I’m working on this update, sorry for not letting you know sooner.

#5 Updated by intrigeri 2018-10-20 20:07:41

> I’m working on this update,

Excellent!

> sorry for not letting you know sooner.

That’s fine :)

#6 Updated by CyrilBrulebois 2018-10-20 20:42:06

This is a copy of what I sent to Carsten a moment ago:

> Looking at 60.2.1 for Tails, I’m wondering what your plans for
> stretch(-security) are. The whole l10n re-architecturing seems a little
> out of scope for an update to stable (even for one of those Mozilla
> products, which are close to be given carte blanche).
>
> I’ve prepared a debian/backportable-sid (for the lack of a better name)
> in my repository, reverting “unwanted” commits on top of the debian/sid
> branch, and updated the debian/stretch branch by merging it in there.
>
> I haven’t test-built it yet, but I wanted to share this with you right
> away:
> https://salsa.debian.org/kibi/thunderbird/tree/debian/backportable-sid
> https://salsa.debian.org/kibi/thunderbird/tree/debian/stretch
>
> I’ll keep you posted with the build results; my Tails team mates will
> likely monitor my progress on our ticket:
> https://labs.riseup.net/code/issues/16037
>
> Feedback welcome, as always!

Once I’m done test-building this branch, I’ll move to merging it into our Tails branch (reverting bits added from anonym, backporting fixes) and checking what happens in a Tails environment.

#7 Updated by CyrilBrulebois 2018-10-20 23:58:40

It seems I was wrong in assuming I would have to revert those patches: they still apply with 60.2.1.

Looking at the upstream bug report, it seems Thunderbird is considered as non-affected?

Mozilla#1493900 doesn’t even list thunderbird at all.

Mozilla#1493903 seems to have had thunderbird listed but after some on and off, it seems to be considered as not affected? At least that’s how I understand comment #20 there.

Also, both https://security-tracker.debian.org/tracker/CVE-2018-12386 & https://security-tracker.debian.org/tracker/CVE-2018-12387 mention the firefox and firefox-esr packages only.

Should we keep our patches just in case? Do we have any contacts on the Thunderbird side to get a definitive opinion on the appropriateness of those fixes?

#8 Updated by CyrilBrulebois 2018-10-21 00:03:14

intrigeri: I’ve reached the 2-hour mark on this topic BTW (1h to figure out sid→stretch, 0.25h for the (proposed) debian/stretch → tails/stretch merge, 0.75h for the initial research on the security bugs); so warning you as agreed.

#9 Updated by intrigeri 2018-10-21 06:30:25

> intrigeri: I’ve reached the 2-hour mark on this topic […]; so warning you as agreed.

Keep going :)

#10 Updated by intrigeri 2018-10-22 09:50:42

  • Status changed from Confirmed to In Progress
  • Assignee changed from CyrilBrulebois to intrigeri
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA

#11 Updated by intrigeri 2018-10-22 16:14:58

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

#12 Updated by intrigeri 2018-10-23 10:52:21

  • Status changed from Fix committed to In Progress

Applied in changeset commit:dc27c9c26770df8b68607586f6f655e992d3ab33.

#13 Updated by intrigeri 2018-10-23 10:52:21

  • Status changed from In Progress to Fix committed

Applied in changeset commit:ac063e748fae31ab9bb66ad3dd1a703ff9a749dc.

#14 Updated by CyrilBrulebois 2018-10-24 11:18:30

  • Status changed from Fix committed to Resolved