Re: proposed removal of Enigmail from jessie/LTS

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Holger Levsen <holger@layer-acht.org>, debian-lts@lists.debian.org
Subject: Re: proposed removal of Enigmail from jessie/LTS
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 21 Dec 2018 22:19:49 +0100
Message-id: <[🔎] 20181221211949.GA6862@pisco.westfalen.local>
In-reply-to: <[🔎] 8736qsxafq.fsf@fifthhorseman.net>
References: <[🔎] 87zht94219.fsf@curie.anarc.at> <[🔎] bfc66b55-1001-5d4e-4b5d-c5c656171b75@debian.org> <[🔎] 20181215120939.GB23245@pisco.westfalen.local> <[🔎] 20181219162146.yuznk3b4orlv23ul@layer-acht.org> <[🔎] 87va3pv5aw.fsf@curie.anarc.at> <[🔎] 20181219170326.enb3igr5mngxtjqi@layer-acht.org> <[🔎] 20181220160130.GA1371@pisco.westfalen.local> <[🔎] 8736qsxafq.fsf@fifthhorseman.net>

On Thu, Dec 20, 2018 at 02:30:49PM -0500, Daniel Kahn Gillmor wrote:
> we're not talking about "all kinds of core libraries" -- we're talking
> about a very selected subset.

Which are used by core system services like systemd, which makes them
core libraries.

> > EOLing enigmail seems the only sensible option by far.
> 
> the main issue with EOLing enigmail is that users will (instead of
> upgrading to stable) typically just use the version from
> addons.mozilla.org, which has both non-DFSG-free issues and
> significantly scary behavior (downloading and silently executing
> binaries from the web on the user's behalf).

EOLed packages are discontinued with an advisory advising users of
the EOLed status, so it can explicitly warn about using the version
from addons.mozilla.org. If users then still choose the other options,
well than it's within their freedom.

On a more general level; I'm not sure if there were prior discussions
with Mozilla about that, but ideally addons.mozilla.org would flag addons
which fetch/run additional code so that users can make an educated choice
to opt-out. The current approach is only asking for crypto miners to
hijack addons dependencies in the future...

Cheers,
        Moritz

Reply to:

References:
- HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
  - From: Holger Levsen <holger@layer-acht.org>
- proposed removal of Enigmail from jessie/LTS
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: proposed removal of Enigmail from jessie/LTS
  - From: Holger Levsen <holger@layer-acht.org>
- Re: proposed removal of Enigmail from jessie/LTS
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: proposed removal of Enigmail from jessie/LTS
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: monthly report
Next by Date: pdns/pdns-recursor
Previous by thread: Re: proposed removal of Enigmail from jessie/LTS
Next by thread: Re: HEADS UP: upcoming change to libgcrypt and other gnupg libraries for Enigmail backport
Index(es):
- Date
- Thread