Re: [Tails-dev] Icedove security updates / Tails release sch…

Delete this message

Reply to this message
Author: u
Date:  
To: tails-dev
Subject: Re: [Tails-dev] Icedove security updates / Tails release schedule
Hi,

I'd like to sum up the discussion a little bit and move on to the next
steps.

sajolida:
> intrigeri:
>> > I'm replying to "the severity of the options above", regarding
>> > option b.
>> >
>> > Let's keep in mind that other email clients we used to ship, or could
>> > choose to ship haven't synchronized their release schedule with
>> > Firefox either; Ditto for most other software we ship, actually. So,
>> > the "security updates are delayed a bit" problem is neither news here,
>> > nor specific to Icedove.
>> >
>> > It *is* a serious problem, however. The long-term solution we've put
>> > our odds on so far, that will work regardless of what email client we
>> > ship, is to streamline our release process so that we can, some day,
>> > put out (smaller) updates more often. This is one of the main reasons
>> > why we've been putting so much efforts into our automated test suite
>> > lately :)


> So I'd say we keep an eye on their security announcement, be ready for
> an emergency upgrade the day it's really needed, and in the meantime
> keep on working on streamlining our release process and having endless
> upgrades (#7499, #8534, or whatever).


I think it's clear now that we'll simply stick to the Firefox/TBB
release schedule and treat Icedove exactly in the same way as other
software we ship.

As said, if anybody feels like helping the Icedove packaging team to get
Icedove into Debian faster, they'd require help with upstreaming
Debian patches of the package.

Next steps: We can make using the email client more secure by adding an
AppArmor profile. I've started investigating this with some help from
jvoisin.
As always, we want to try to not create too much delta with upstream and
so it seems useful to actually use a profile which will be included
there anyway. This is tracked by https://labs.riseup.net/code/issues/10750.
I still need to find out when/if this profile goes upstream and ask the
Debian AppArmor Team to include this into the corresponding package (or
do that myself as I am also part of this team).

Also, we should investigate how to better keep track of MFSAs and other
security announcements (even prior to them being posted on
debian-security). Some of us read FD or debian-security I think, but
maybe we can track this in a more efficient manner?

Cheers!
u.