Sender | Message | Time |
---|---|---|
13 Oct 2024 | ||
emily | anyway. my personal bottom line is that I think we have a handful too many Firefox/Chromium forks and that the security situation with a lot of them is worrying. I would agree that I don't think Betterbird is meeting reasonable expectations, and it doesn't seem like anything has changed since the last time it was discussed. | 18:04:59 |
hexa | In reply to @aloisw:kde.orgbasically they track the esr cycle of firefox (up until now), which regularly comes with a security advisory attached | 18:05:47 |
hexa | In reply to @aloisw:kde.orgyes. | 18:06:05 |
hexa | In reply to @emilazy:matrix.orgyou can open a website in thunderbird fwiw | 18:06:22 |
emily |
(April)
(June)
| 18:06:44 |
emily | update eventually merged 3 weeks ago | 18:06:56 |
hexa | yeah, not acceptable | 18:07:06 |
emily | https://github.com/NixOS/nixpkgs/issues/251427
(August 2023) | 18:07:52 |
emily | think it's fair to say that the situation is unlikely to change | 18:08:08 |
hexa | https://github.com/NixOS/nixpkgs/pull/241560#issuecomment-1620795028 | 18:09:12 |
hexa | do you remember this one, emily? | 18:09:18 |
aloisw | On a cursory glance, upstream (if that's the correct word here given that it's a patched Thunderbird) maintainance looks kinda okay, but nixpkgs is lagging severely. | 18:09:19 |
emily | upstream is some guy who was banned from Thunderbird development for constantly being uncivil IIRC | 18:10:07 |
emily | but I agree that it seems to meet my basic expectations for backports of upstream browser engine security fixes | 18:10:20 |
emily | so it's ahead of, like, most Firefox forks | 18:10:29 |
emily | In reply to @hexa:lossy.networkright. this is what I was remembering re: stable backports | 18:10:47 |
emily | the commitment is more than I remember, but it doesn't seem to have been fulfilled | 18:11:07 |
emily | currently unfixed on stable that don't look JS-specific:
| 18:15:36 |
emily | I think we need to set knownVulnerabilities on 24.05 for sure. removal before the 24.11 freeze also seems like a reasonable course of action to me, or we will inevitably end up shipping vulnerable versions to users again within the next 6 months unless someone else wants to be responsible for the package. | 18:16:14 |
emily | actually the NSS stuff might be fine if we have a separate NSS package | 18:16:44 |
emily | and of course it may be hard to impossible to construct an exploit chain for some or all of them without JS | 18:16:55 |
emily | but that is certainly not wholly obvious to me for some of them | 18:17:16 |
Tristan Ross | In reply to @emilazy:matrix.orgIdk who that is | 18:19:08 |
hexa | risicle | 18:19:13 |
hexa | ris_ in this room | 18:19:23 |
emily | also lib.maintainers.ris | 18:19:39 |
Tristan Ross | Oh | 18:19:43 |
hexa | In reply to @emilazy:matrix.orghm? I maintain nss | 18:21:02 |
Tristan Ross | Time to find the issue I was pinged in relating to what I'm doing lol | 18:21:09 |
emily | I meant that one of the vulns I linked was NSS-related | 18:21:13 |