13 Oct 2024 |
emily | https://github.com/NixOS/nixpkgs/issues/251427
Sadly the package is repeatedly out of date. I would really like to switch to betterbird but as it's internet-facing, timely updates should be ensured.
(August 2023)
| 18:07:52 |
emily | think it's fair to say that the situation is unlikely to change | 18:08:08 |
hexa | https://github.com/NixOS/nixpkgs/pull/241560#issuecomment-1620795028 | 18:09:12 |
hexa | do you remember this one, emily? | 18:09:18 |
aloisw | On a cursory glance, upstream (if that's the correct word here given that it's a patched Thunderbird) maintainance looks kinda okay, but nixpkgs is lagging severely. | 18:09:19 |
emily | upstream is some guy who was banned from Thunderbird development for constantly being uncivil IIRC | 18:10:07 |
emily | but I agree that it seems to meet my basic expectations for backports of upstream browser engine security fixes | 18:10:20 |
emily | so it's ahead of, like, most Firefox forks | 18:10:29 |
emily | In reply to @hexa:lossy.network do you remember this one, emily? right. this is what I was remembering re: stable backports | 18:10:47 |
emily | the commitment is more than I remember, but it doesn't seem to have been fulfilled | 18:11:07 |
emily | currently unfixed on stable that don't look JS-specific:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1888333
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893340
- https://bugzilla.mozilla.org/show_bug.cgi?id=1878199
- https://bugzilla.mozilla.org/show_bug.cgi?id=1193389
- https://bugzilla.mozilla.org/show_bug.cgi?id=1896555 (maybe? "By manipulating the text in an
<input> tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash." – bug is not public still, lol)
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1862809%2C1889355%2C1893388%2C1895123 (also not accesible)
- uhh more NSS stuff… actually this is too tedious, there's like 3 more point releases left
| 18:15:36 |
emily | I think we need to set knownVulnerabilities on 24.05 for sure. removal before the 24.11 freeze also seems like a reasonable course of action to me, or we will inevitably end up shipping vulnerable versions to users again within the next 6 months unless someone else wants to be responsible for the package. | 18:16:14 |
emily | actually the NSS stuff might be fine if we have a separate NSS package | 18:16:44 |
emily | and of course it may be hard to impossible to construct an exploit chain for some or all of them without JS | 18:16:55 |
emily | but that is certainly not wholly obvious to me for some of them | 18:17:16 |
Tristan Ross | In reply to @emilazy:matrix.org you'd want to talk to ris Idk who that is | 18:19:08 |
hexa | risicle | 18:19:13 |
hexa | ris_ in this room | 18:19:23 |
emily | also lib.maintainers.ris | 18:19:39 |
Tristan Ross | Oh | 18:19:43 |
hexa | In reply to @emilazy:matrix.org actually the NSS stuff might be fine if we have a separate NSS package hm? I maintain nss | 18:21:02 |
Tristan Ross | Time to find the issue I was pinged in relating to what I'm doing lol | 18:21:09 |
emily | I meant that one of the vulns I linked was NSS-related | 18:21:13 |
emily | so it may not apply to us assuming we have a split NSS package that actually gets updates | 18:21:23 |
hexa | nss is always recent | 18:21:28 |
emily | oh, is 115 just EOL in general now? | 18:21:29 |
hexa | yes | 18:21:35 |
emily | then that seems like an especially good argument for removing Betterbird | 18:21:43 |
hexa | 115.16.0esr was the last release | 18:21:45 |
hexa | https://github.com/NixOS/nixpkgs/pull/348318 | 18:21:50 |