Tails

#2 Updated by intrigeri 2019-06-01 05:36:46

Exact timing is unclear at the moment but upstream is working on getting v68 ready. I’ll set target version once I understand the expected timeline better.

#4 Updated by intrigeri 2019-06-01 05:42:39

When we do this upgrade, we should probably:

• ship Thunderbird straight from Debian (i.e. stop building+uploading our own package)
• apply our remaining account wizard patch (OAuth2) to the relevant files in omni.ja via a config/chroot_local-hooks/
• update our doc under contribute/ accordingly

This would address most of what’s left of the problem (having to build+upload our own Thunderbird packages regularly) that made us put Feature #6156 on the roadmap this year. I’m saying “most” because until Feature #6156 is done and that OAuth2-related patch is upstreamed, maintaining this delta may have a non-negligible cost.

#5 Updated by intrigeri 2019-06-02 08:43:13

The beta is scheduled for early June. Draft release notes: https://www-stage.thunderbird.net/en-US/thunderbird/68.0beta/releasenotes/.

#7 Updated by intrigeri 2019-08-28 07:13:21

intrigeri wrote:
> When we do this upgrade, we should probably:

FTR, I’ve done this already and this change made it into Tails 3.15.

#13 Updated by segfault 2019-09-22 10:25:07

There is currently no Torbirdy version compatible with Thunderbird 68. I couldn’t find any information about a plan to support Thunderbird 68.

There is an Enigmail version compatible with Thunderbird 68, but it’s currently not in Debian.

#14 Updated by segfault 2019-09-23 15:40:34

Copying extensions to /usr/lib/thunderbird/extensions/ doesn’t seem to be enough to enable them in Thunderbird 68. I tried copying the {847b3a00-7ab1-11d4-8f02-006008948af5}.xpi installed to _{/.thunderbird/profile.default/extensions/ when installing the add-on via Thunderbird, then deleting the profile.default and starting Thunderbird again. The extension is not installed and not present in}/.thunderbird/profile.default/extensions/.

#15 Updated by segfault 2019-09-23 18:11:44

segfault wrote:
> Copying extensions to /usr/lib/thunderbird/extensions/ doesn’t seem to be enough to enable them in Thunderbird 68. I tried copying the {847b3a00-7ab1-11d4-8f02-006008948af5}.xpi installed to _{/.thunderbird/profile.default/extensions/ when installing the add-on via Thunderbird, then deleting the profile.default and starting Thunderbird again. The extension is not installed and not present in}/.thunderbird/profile.default/extensions/.

Nevermind, I got it to work now.

#16 Updated by segfault 2019-09-23 18:23:25

It seems like the latest torbirdy version is indeed incompatible with Thunderbird 68. At least I wasn’t able to install it even when I changed the maxVersion in install.rdf from “60.*” to “68.*”.

I don’t know what else there is to do here, except to wait for Debian packages for enigmail and torbirdy which are compatible with Thunderbird 68.

#17 Updated by intrigeri 2019-09-30 17:14:42

> It seems like the latest torbirdy version is indeed incompatible with Thunderbird 68. At least I wasn’t able to install it even when I changed the maxVersion in install.rdf from “60.*” to “68.*”.

Yeah, we saw this coming and we’re in the exact situation I was hoping to avoid :/

Back in March, @u started a private conversation about this with Torbirdy upstream (thread: “Fwd: Torbirdy’s future”). I’ve not heard about it since April and AFAICT, upstream did not even create a ticket to track this upcoming issue. u, maybe you have some updates to share? (/me crosses fingers :)

This got reported twice upstream by users in the last two months:

• https://trac.torproject.org/projects/tor/ticket/31341
• https://trac.torproject.org/projects/tor/ticket/31773

No reply from the upstream maintainer so far.

This has not been reported to Debian yet but I expect users will start noticing as soon as Thunderbird 68 is uploaded to sid.

> I don’t know what else there is to do here, except to wait for Debian packages for […] torbirdy which are compatible with Thunderbird 68.

Given the historical info I provided above, I don’t think it’s realistic for us to keep shipping Thunderbird 60 until Torbirdy is ported. Thunderbird 68 was released 1 month ago, and upstream seems MIA, so it’s unclear to me whether it will ever be ported. For Tails 4.0 we can probably just ship 60.9.0, but that won’t fly forever.

Now, IIRC Torbirdy does mostly one thing: setting a bunch of prefs. It would be sad to lose this central place for sharing privacy/Tor/anonymity related prefs, but as far as Tails users are concerned, we could “just” (sic!) set those prefs ourselves in tails.git. That’s certainly better than shipping an outdated Thunderbird with known security issues for months or years.

If, for some reason, this does not work for some critical prefs, we could try porting Torbirdy ourselves, trimming it down from its UI and whatever is not strictly necessary for us: hopefully what’s left will be compatible with Thunderbird 68. But first, we would need to understand what exactly it is, that Torbirdy is using, and that’s deprecated in Thunderbird 68. If the work to do is porting to WebExt or something like this, it may be a huge task, and we’ll need to consider how critical the missing bits are.

> There is an Enigmail version compatible with Thunderbird 68, but it’s currently not in Debian.

Yep, and the Thunderbird maintainer reached out to the Enigmail one about it: https://alioth-lists.debian.net/pipermail/pkg-apparmor-team/2019-September/003143.html.
I hope dkg has time to import & upload the new Enigmail upstream release in the next few weeks.
Worst case, we may have to do it ourselves.

BTW, Carsten’s email has some more info that’s relevant for us.

Cheers!

#18 Updated by Anonymous 2019-09-30 18:32:09

I’ve pinged upstream again, but to no avail. So no, I have no magic news about the issue :/ I’ve recently forwarded the email to segfault with more details.

#19 Updated by intrigeri 2019-10-01 03:55:44

> I’ve pinged upstream again, but to no avail. So no, I have no magic news about the issue :/ I’ve recently forwarded the email to segfault with more details.

Thanks for the quick reply!

#21 Updated by Anonymous 2019-10-08 10:01:30

FTR, the upstream author promised to send us an assessment of the situation and the work to do by the end of this week.

#23 Updated by intrigeri 2019-10-11 07:10:27

u wrote:
> FTR, the upstream author promised to send us an assessment of the situation and the work to do by the end of this week.

@u, amazing, thanks!

I’ve optimistically filed Feature #17149 to track the next iteration of this problem, which will probably be even harder wrt. Thunderbird 78, even if we find a way to make Torbirdy work on Thunderbird 68. My goal here is to ensure this is on our radar early enough, to avoid any bad surprise next summer/fall.

#24 Updated by Anonymous 2019-10-17 13:06:53

@intrigeri: sounds good. The upstream author has made an assessment of the work to be done. I proposed to help him with testing, and asked what else needs we could help with.

#25 Updated by Anonymous 2019-10-21 09:04:23

We should probably meet with the upstream author to talk about our needs and outline a plan to save the world of email over Tor. See email sent to hefee, intrigeri @segfault some minutes ago.

#26 Updated by Anonymous 2019-11-07 16:10:44

See https://redmine.tails.boum.org/code/issues/17149#note-5

#29 Updated by segfault 2019-11-17 17:17:25

Thunderbird 68 from sid now depends on some package versions not available in Buster. The affected packages are: enigmail libc-bin libc-l10n libc6 libfreetype6 libnss3 libstdc++6 locales-all. So we would have to install those from sid as well.

#30 Updated by intrigeri 2019-11-18 06:49:05

> Thunderbird 68 from sid now depends on some package versions not available in Buster.

Indeed. Since then, 1:68.2.2-1~deb10u1 was uploaded to buster-security (DSA 4571-1) so this should not be a problem anymore :)

#31 Updated by segfault 2019-11-18 10:18:39

intrigeri wrote:
> > Thunderbird 68 from sid now depends on some package versions not available in Buster.
>
> Indeed. Since then, 1:68.2.2-1~deb10u1 was uploaded to buster-security (DSA 4571-1) so this should not be a problem anymore :)

Right, just saw that too :)

#33 Updated by intrigeri 2019-11-29 05:55:37

Note that feature/16771-thunderbird-68+force-all-tests and feature/17219-replace-torbirdy have diverged (I guess because the latter had its history rewritten). The former has nothing that’s not in the latter, right? If so, I propose we KISS and use one single branch for this ticket and Feature #17219. I don’t particularly care about how we call it, but given recent work has happened on the Feature #17219 branch, I’ll base my Thunderbird 68 work on it too.