Feature #16771
Upgrade to Thunderbird 68
100%
Description
At some point, the only way for us to get Thunderbird security updates will be to upgrade to 68.
Subtasks
Feature #17267: Fix non-en-US dictionaries not available in Thunderbird 68 | Resolved | 0 |
|||
Feature #17269: Update test suite for Thunderbird 68 | Resolved | 0 |
Related issues
Related to Tails - Feature #6156: Upstream secure Thunderbird autoconfig wizard | In Progress | 2016-05-19 | |
Related to Tails - |
Rejected | ||
Related to Tails - |
Resolved | ||
Related to Tails - Bug #17272: Error dialog when setting up a POP3 account in Thunderbird 68 | Confirmed | ||
Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed | ||
Blocked by Tails - |
Resolved |
History
#1 Updated by intrigeri 2019-06-01 05:35:37
- blocks Feature #16209: Core work: Foundations Team added
#2 Updated by intrigeri 2019-06-01 05:36:46
Exact timing is unclear at the moment but upstream is working on getting v68 ready. I’ll set target version once I understand the expected timeline better.
#3 Updated by intrigeri 2019-06-01 05:37:10
- related to Feature #6156: Upstream secure Thunderbird autoconfig wizard added
#4 Updated by intrigeri 2019-06-01 05:42:39
When we do this upgrade, we should probably:
- ship Thunderbird straight from Debian (i.e. stop building+uploading our own package)
- apply our remaining account wizard patch (OAuth2) to the relevant files in
omni.ja
via aconfig/chroot_local-hooks/
- update our doc under
contribute/
accordingly
This would address most of what’s left of the problem (having to build+upload our own Thunderbird packages regularly) that made us put Feature #6156 on the roadmap this year. I’m saying “most” because until Feature #6156 is done and that OAuth2-related patch is upstreamed, maintaining this delta may have a non-negligible cost.
#5 Updated by intrigeri 2019-06-02 08:43:13
The beta is scheduled for early June. Draft release notes: https://www-stage.thunderbird.net/en-US/thunderbird/68.0beta/releasenotes/.
#6 Updated by intrigeri 2019-08-28 07:04:17
- Target version set to Tails_3.17
68.0 was released upstream. There will be one last release in the 60.x series (60.9) next week, which we’ll miss for Tails 3.16. I expect 68.x will be our only option for Tails 3.17 / 4.0.
#7 Updated by intrigeri 2019-08-28 07:13:21
intrigeri wrote:
> When we do this upgrade, we should probably:
FTR, I’ve done this already and this change made it into Tails 3.15.
#8 Updated by intrigeri 2019-09-12 14:25:33
- Target version changed from Tails_3.17 to Tails_4.0
#9 Updated by segfault 2019-09-21 18:29:43
- Assignee set to segfault
- Feature Branch set to feature/16771-thunderbird-68
I started refreshing the patches but are not finished yet and didn’t push that work yet.
#10 Updated by segfault 2019-09-21 22:03:54
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|8134f512d5a4834267f7ce466b703f3c72f2a363.
#11 Updated by segfault 2019-09-21 22:08:23
- Feature Branch changed from feature/16771-thunderbird-68 to git push --set-upstream origin feature/16771-thunderbird-68+force-all-tests
#12 Updated by intrigeri 2019-09-22 06:00:34
- Feature Branch changed from git push --set-upstream origin feature/16771-thunderbird-68+force-all-tests to feature/16771-thunderbird-68+force-all-tests
#13 Updated by segfault 2019-09-22 10:25:07
There is currently no Torbirdy version compatible with Thunderbird 68. I couldn’t find any information about a plan to support Thunderbird 68.
There is an Enigmail version compatible with Thunderbird 68, but it’s currently not in Debian.
#14 Updated by segfault 2019-09-23 15:40:34
Copying extensions to /usr/lib/thunderbird/extensions/ doesn’t seem to be enough to enable them in Thunderbird 68. I tried copying the {847b3a00-7ab1-11d4-8f02-006008948af5}.xpi installed to /.thunderbird/profile.default/extensions/ when installing the add-on via Thunderbird, then deleting the profile.default and starting Thunderbird again. The extension is not installed and not present in/.thunderbird/profile.default/extensions/.
#15 Updated by segfault 2019-09-23 18:11:44
segfault wrote:
> Copying extensions to /usr/lib/thunderbird/extensions/ doesn’t seem to be enough to enable them in Thunderbird 68. I tried copying the {847b3a00-7ab1-11d4-8f02-006008948af5}.xpi installed to /.thunderbird/profile.default/extensions/ when installing the add-on via Thunderbird, then deleting the profile.default and starting Thunderbird again. The extension is not installed and not present in/.thunderbird/profile.default/extensions/.
Nevermind, I got it to work now.
#16 Updated by segfault 2019-09-23 18:23:25
It seems like the latest torbirdy version is indeed incompatible with Thunderbird 68. At least I wasn’t able to install it even when I changed the maxVersion in install.rdf from “60.*” to “68.*”.
I don’t know what else there is to do here, except to wait for Debian packages for enigmail and torbirdy which are compatible with Thunderbird 68.
#17 Updated by intrigeri 2019-09-30 17:14:42
> It seems like the latest torbirdy version is indeed incompatible with Thunderbird 68. At least I wasn’t able to install it even when I changed the maxVersion in install.rdf from “60.*” to “68.*”.
Yeah, we saw this coming and we’re in the exact situation I was hoping to avoid :/
Back in March, @u started a private conversation about this with Torbirdy upstream (thread: “Fwd: Torbirdy’s future”). I’ve not heard about it since April and AFAICT, upstream did not even create a ticket to track this upcoming issue. u, maybe you have some updates to share? (/me crosses fingers :)
This got reported twice upstream by users in the last two months:
- https://trac.torproject.org/projects/tor/ticket/31341
- https://trac.torproject.org/projects/tor/ticket/31773
No reply from the upstream maintainer so far.
This has not been reported to Debian yet but I expect users will start noticing as soon as Thunderbird 68 is uploaded to sid.
> I don’t know what else there is to do here, except to wait for Debian packages for […] torbirdy which are compatible with Thunderbird 68.
Given the historical info I provided above, I don’t think it’s realistic for us to keep shipping Thunderbird 60 until Torbirdy is ported. Thunderbird 68 was released 1 month ago, and upstream seems MIA, so it’s unclear to me whether it will ever be ported. For Tails 4.0 we can probably just ship 60.9.0, but that won’t fly forever.
Now, IIRC Torbirdy does mostly one thing: setting a bunch of prefs. It would be sad to lose this central place for sharing privacy/Tor/anonymity related prefs, but as far as Tails users are concerned, we could “just” (sic!) set those prefs ourselves in tails.git. That’s certainly better than shipping an outdated Thunderbird with known security issues for months or years.
If, for some reason, this does not work for some critical prefs, we could try porting Torbirdy ourselves, trimming it down from its UI and whatever is not strictly necessary for us: hopefully what’s left will be compatible with Thunderbird 68. But first, we would need to understand what exactly it is, that Torbirdy is using, and that’s deprecated in Thunderbird 68. If the work to do is porting to WebExt or something like this, it may be a huge task, and we’ll need to consider how critical the missing bits are.
> There is an Enigmail version compatible with Thunderbird 68, but it’s currently not in Debian.
Yep, and the Thunderbird maintainer reached out to the Enigmail one about it: https://alioth-lists.debian.net/pipermail/pkg-apparmor-team/2019-September/003143.html.
I hope dkg has time to import & upload the new Enigmail upstream release in the next few weeks.
Worst case, we may have to do it ourselves.
BTW, Carsten’s email has some more info that’s relevant for us.
Cheers!
#18 Updated by Anonymous 2019-09-30 18:32:09
I’ve pinged upstream again, but to no avail. So no, I have no magic news about the issue :/ I’ve recently forwarded the email to segfault with more details.
#19 Updated by intrigeri 2019-10-01 03:55:44
> I’ve pinged upstream again, but to no avail. So no, I have no magic news about the issue :/ I’ve recently forwarded the email to segfault with more details.
Thanks for the quick reply!
#20 Updated by segfault 2019-10-03 09:09:51
- Target version changed from Tails_4.0 to Tails_4.1
We decided to postpone this to 4.1 and ship Thunderbird 60.9 in 4.0.
#21 Updated by Anonymous 2019-10-08 10:01:30
FTR, the upstream author promised to send us an assessment of the situation and the work to do by the end of this week.
#22 Updated by intrigeri 2019-10-11 07:07:24
- related to
Feature #17149: Figure out what to do with Torbirdy vs. Thunderbird 78 ESR added
#23 Updated by intrigeri 2019-10-11 07:10:27
u wrote:
> FTR, the upstream author promised to send us an assessment of the situation and the work to do by the end of this week.
@u, amazing, thanks!
I’ve optimistically filed Feature #17149 to track the next iteration of this problem, which will probably be even harder wrt. Thunderbird 78, even if we find a way to make Torbirdy work on Thunderbird 68. My goal here is to ensure this is on our radar early enough, to avoid any bad surprise next summer/fall.
#24 Updated by Anonymous 2019-10-17 13:06:53
@intrigeri: sounds good. The upstream author has made an assessment of the work to be done. I proposed to help him with testing, and asked what else needs we could help with.
#25 Updated by Anonymous 2019-10-21 09:04:23
We should probably meet with the upstream author to talk about our needs and outline a plan to save the world of email over Tor. See email sent to hefee,
intrigeri @segfault some minutes ago.
#26 Updated by Anonymous 2019-11-07 16:10:44
#27 Updated by segfault 2019-11-10 13:19:05
- blocked by
Feature #17219: Replace TorBirdy added
#28 Updated by intrigeri 2019-11-10 14:16:26
- Priority changed from Normal to Elevated
Rationale: Thunderbird 60.x is EOL and won’t get further security updates.
But as I just wrote on Feature #17219: if we lack the resources to complete this in time for 4.1 without burning people out, IMO so be it.
#29 Updated by segfault 2019-11-17 17:17:25
Thunderbird 68 from sid now depends on some package versions not available in Buster. The affected packages are: enigmail libc-bin libc-l10n libc6 libfreetype6 libnss3 libstdc++6 locales-all. So we would have to install those from sid as well.
#30 Updated by intrigeri 2019-11-18 06:49:05
> Thunderbird 68 from sid now depends on some package versions not available in Buster.
Indeed. Since then, 1:68.2.2-1~deb10u1 was uploaded to buster-security (DSA 4571-1) so this should not be a problem anymore :)
#31 Updated by segfault 2019-11-18 10:18:39
intrigeri wrote:
> > Thunderbird 68 from sid now depends on some package versions not available in Buster.
>
> Indeed. Since then, 1:68.2.2-1~deb10u1 was uploaded to buster-security (DSA 4571-1) so this should not be a problem anymore :)
Right, just saw that too :)
#32 Updated by intrigeri 2019-11-23 08:03:18
- related to
Bug #17252: All branches FTBFS since Thunderbird 68 was uploaded to buster-security added
#33 Updated by intrigeri 2019-11-29 05:55:37
Note that feature/16771-thunderbird-68+force-all-tests and feature/17219-replace-torbirdy have diverged (I guess because the latter had its history rewritten). The former has nothing that’s not in the latter, right? If so, I propose we KISS and use one single branch for this ticket and Feature #17219. I don’t particularly care about how we call it, but given recent work has happened on the Feature #17219 branch, I’ll base my Thunderbird 68 work on it too.
#34 Updated by intrigeri 2019-11-29 10:18:35
- related to Bug #17272: Error dialog when setting up a POP3 account in Thunderbird 68 added
#35 Updated by intrigeri 2019-11-30 15:03:04
- Feature Branch changed from feature/16771-thunderbird-68+force-all-tests to feature/17219-replace-torbirdy
#36 Updated by intrigeri 2019-12-01 07:23:59
- Status changed from In Progress to Needs Validation
I’ve reviewed the whole branch and I’m go for it! Great job \o/
This lead me to add a cleanup: commit:3f6b3e28039aeebe3cd5174ab836c6afc8b71ecf.
Reassigning because the last blocker for the merge (Feature #17269) is a review currently assigned to segfault.
#37 Updated by segfault 2019-12-01 11:35:18
- Status changed from Needs Validation to Resolved
Applied in changeset commit:tails|0566449b05d05b3cc687b49e678da3c466a649e8.