[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport

On Fri 2018-12-14 09:26:50 -0500, Antoine Beaupré wrote:
> I have outlined the tradeoffs of this in the past. For me, the biggest
> concern is that users will blindly install Enigmail from the app store
> and that actually has security vulnerabilities because the jessie gpg
> version is too old, as I understand it.

Installing enigmail from addons.mozilla.org (what i think anarcat means
by "the app store") raises not only concerns about gpg compatibility on
jessie -- it also downloads and runs arbitrary binary code from the


This is fixed in debian by a change in the defaults, but upstream
appears to have no intention to change those defaults in the version in

Leaving jessie users vulnerable to this would make me pretty sad.

I appreciate the work that anarcat is doing here!


Attachment: signature.asc
Description: PGP signature

Reply to: