Hello, again, thanks a lot to dkg for your hard work to bring Enigmail 2.0 to Stretch! Once again it's amazing to follow your work and see how thorough you are :) On Sun, 14 Oct 2018 18:58:33 -0400 Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Hi release team, security team: > > over in #910398, i wrote: > > On Fri 2018-10-05 17:48:10 -0500, Daniel Kahn Gillmor wrote: > > I'd like to update the version of GnuPG in debian stable with a series > > of targeted bugfixes (most of which are backported from upstream). > > > > There are four complementary reasons, which i explain in more detail > > below: > > > > * ptrace hardening for scdaemon > > * bugfixes that target some common workflows > > * updating cryptographic defaults > > * fixing enigmail in stretch > > > > All of the patches that implement these changes have been in buster > > for many months (either as upstream improvements or debian-specific > > improvements). > > I'd appreciate some followup on this from the debian teams -- am i > barking up the wrong tree? should i take a different approach? or do i > (and the stretch users of enigmail) just need to wait a little while > longer for review? > > Many thanks for your work in keeping debian stable safe, healthy, and > useful. Due to the intrusive changes I can imagine that the responsible teams need some time for the decision. Still it would be great if you could send a short note on whether you discuss this internally and whether you consider it a valid approach at all. That would help a lot with waiting. As dkg already explained, right now, everybody who uses Enigmail on Stretch is stuck with vulnerable Thunderbird 52 packages. Which, unfortunately, means a *lot* of users. Thus I consider any necessary steps (or prerequisites) to get Enigmail 2.0 into Stretch pretty urgent. > PS thanks to Georg for his testing of these changes, as noted in > #910398! Ack, thanks Georg! Cheers jonas
Attachment:
signature.asc
Description: OpenPGP digital signature