| 13 Oct 2024 |
 Tristan Ross | Interesting, it all comes from pkgs/build-support/bintools-wrapper/default.nix | 06:37:02 |
| Tristan Ross | Next question, what sort of impact on build failures could we see if we did stackclashprotection by default? | 06:37:43 |
 emily | you'd want to talk to ris | 06:47:49 |
 hexa | betterbird is on 115.9.0 on release-24.05 while master has 115.14.0, latest is 115.16.1 | 16:56:07 |
| hexa | I think it should not live in nixpkgs if this is how it gets maintained | 16:57:32 |
| hexa | there were also no updates between 115.9.0 and 115.14.0 in nixpkgs https://github.com/NixOS/nixpkgs/pull/339019 | 16:59:50 |
| emily | i feel we ought to have a written policy on things that contain browser engines at this point | 17:03:33 |
| emily | wrt requiring both upstream and Nixpkgs maintainers to be responsive to security issues | 17:03:56 |
 tgerbet | Yeah I wanted to create a tracking issue so we can follow this more closely and see how it evolves over time but I did not get the time to do it | 17:46:20 |
| emily | IIRC stable branch security backports for betterbird were discussed in the past and the response was "meh, don't care about stable". | 17:57:10 |
| emily | indeed it looks like it hasn't received any backports this cycle | 17:57:57 |
 aloisw | This does not excuse the package being several months out of date on unstable as well. | 17:58:45 |
| emily | to be clear, I don't think it excuses it being out of date on stable | 17:59:23 |
| emily | * to be clear, I don't think it excuses it being out of date on stable either | 17:59:25 |
| emily | backporting security fixes or at least knownVulnerabilities is part of our basic expectations for maintainer responsibilities for highly-exposed applications IMO | 17:59:59 |
| emily | (though of course it's not written down anywhere) | 18:00:04 |
| emily | I just mean I wouldn't expect the situation to change in that regard. | 18:00:21 |
| aloisw | I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant. | 18:01:01 |
| emily | https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ | 18:01:35 |
| emily | there is admittedly a lot of "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potential risks in browser or browser-like contexts." – I guess they don't do much assessment of what exposure they're actually subject to. | 18:02:07 |
| emily | certainly e.g. image decoding bugs seem like they would potentially be exploitable. | 18:02:24 |
| emily | there's also stuff like "CVE-2023-5388: NSS susceptible to timing attack against RSA decryption" | 18:02:42 |
| aloisw | In reply to @emilazy:matrix.org
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ Lol this literally is every release, right? | 18:02:47 |
| emily | In reply to @emilazy:matrix.org
there is admittedly a lot of "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potential risks in browser or browser-like contexts." – I guess they don't do much assessment of what exposure they're actually subject to. which is funny coming after this notice :) | 18:02:50 |
| emily | In reply to @aloisw:kde.org
Lol this literally is every release, right? yes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS | 18:03:08 |
| aloisw | I also assume they stop investigating what security issues have accidentally been fixed after a release that has since been superseded. | 18:03:39 |
| emily | here's a recent Thunderbird-specific one https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ | 18:03:39 |
| emily | if it had happened slightly after 24.05, probably stable users would still be vulnerable | 18:03:59 |
| emily | anyway. my personal bottom line is that I think we have a handful too many Firefox/Chromium forks and that the security situation with a lot of them is worrying. I would agree that I don't think Betterbird is meeting reasonable expectations, and it doesn't seem like anything has changed since the last time it was discussed. | 18:04:59 |
| hexa | In reply to @aloisw:kde.org
I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant. basically they track the esr cycle of firefox (up until now), which regularly comes with a security advisory attached | 18:05:47 |
