Project

General

Profile

Feature #15657

Check which version of Enigmail we should ship

Added by intrigeri over 1 year ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
06/15/2018
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:
Feature Branch:
hefee/bugfix/16186-disable-autocrypt+force-all-tests
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Email Client

Description

For #15602 we're going to import Enigmail from sid into our custom APT repo (our freeze exception process). For 3.9 and later we should check whether we can install that package from stretch-security, or from sid, or update it in our custom APT repo, or something.


Related issues

Related to Tails - Bug #15602: Fix EFAIL Resolved 05/14/2018
Related to Tails - Feature #15923: Autocrypt forces unencrypted messages Resolved 12/03/2018
Related to Tails - Bug #16120: devel branch FTBFS since Enigmail 2:2.0.8-5~deb9u1 reached Stretch Resolved 11/12/2018
Blocks Tails - Feature #15507: Core work 2019Q1: Foundations Team Resolved 04/08/2018

Associated revisions

Revision 83b10d14 (diff)
Added by Sandro Knauß 10 months ago

Install enigmail from stretch (refs: #15657)

Revision cecd81c4 (diff)
Added by Sandro Knauß 10 months ago

Install enigmail from stretch (refs: #15657)

Revision c293b923
Added by intrigeri 10 months ago

Merge branch 'hefee/bugfix/16186-disable-autocrypt+force-all-tests' into devel (Fix-committed: #15657, #15661, #16222)

Note: this branch actually does not do anything special wrt. Autocrypt,
nor does it address #16186 (if there's anything to address there, which
is unclear at the moment).

History

#1 Updated by intrigeri over 1 year ago

#2 Updated by intrigeri over 1 year ago

#3 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.9 to Tails_3.10.1

We currently have 2.0.7-2 on our devel branch. The only user-visible changes up to, and including, 2.0.7+ds1-1, are:

  • "avoid using and shipping OpenPGP.js": if we take it, it'll require very careful testing
  • "update dependency on GnuPG to account for important bugfixes needed to replace OpenPGP.js" i.e. Depends: gnupg (>= 2.2.8-2~), which is not available for Stretch

I see no immediate benefit in upgrading in Tails 3.9 and it requires backporting a newer gnupg, which is not exactly tempting. So let's stick to 2.0.7-2 for Tails 3.9 and come back to it later. It would be sweet if we could simply do that all the way during the Tails 3.x series, and upgrade only in Tails 4.0. But I think enigmail will need to be upgraded in Debian stable for compatibility with Thunderbird 60 so we'll see.

#4 Updated by intrigeri over 1 year ago

#5 Updated by intrigeri over 1 year ago

#6 Updated by intrigeri about 1 year ago

  • Target version changed from Tails_3.10.1 to Tails_3.12

Given:

I don't think we should do the upgrade in a bugfix release => postponing to next major version.

#7 Updated by intrigeri about 1 year ago

#8 Updated by intrigeri about 1 year ago

#9 Updated by intrigeri about 1 year ago

  • Related to Feature #15923: Autocrypt forces unencrypted messages added

#10 Updated by intrigeri about 1 year ago

intrigeri wrote:

  • Recent Enigmail packages (that don't include OpenPGP.js) depend on a newer GnuPG, that's in stretch-backports

The required GnuPG changes made it into stable-pu (https://bugs.debian.org/910398) and will be in the next Stretch point-release, which our devel branch will pick up and that we'll have in Tails 3.12. So let's deal with all the Enigmail/Autocrypt/GnuPG stuff together once the Stretch point release is out.

#11 Updated by intrigeri about 1 year ago

  • Related to Bug #16120: devel branch FTBFS since Enigmail 2:2.0.8-5~deb9u1 reached Stretch added

#12 Updated by intrigeri 12 months ago

  • Assignee deleted (intrigeri)

#13 Updated by hefee 12 months ago

  • Assignee set to hefee

#14 Updated by hefee 11 months ago

  • Assignee changed from hefee to intrigeri
  • Estimated time set to 2.00 h
  • QA Check set to Info Needed
  • Where is this version 2:2.0.7+ds1-1 coming from?
  • Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?
  • how do I can test a new enigmail version in an iso?

Debian has now shipped 2:2.0.8-5~deb9u1 in stretch and bts is not mentioning any new issues. So it sounds like a valid candidate to use.

checking enigmail itself:
- 2.0.8: - 2.0.9:

plus enigmail bugtracker don't have open issues, that makes me step back.

#15 Updated by intrigeri 11 months ago

  • Assignee changed from intrigeri to hefee
  • QA Check changed from Info Needed to Dev Needed
  • Where is this version 2:2.0.7+ds1-1 coming from?

https://tracker.debian.org/news/972292/accepted-enigmail-2207ds1-1-source-into-unstable/

  • Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?

We've shipped 2:2.0.7-2 in Tails 3.11. It comes from our custom APT repository.

  • how do I can test a new enigmail version in an iso?

Either build a new ISO that pulls the version you want (how to do so exactly fully depends on which version you want), or install the new package in a running Tails. But perhaps that's not what you were asking?

#16 Updated by hefee 11 months ago

  • Where is this version 2:2.0.7+ds1-1 coming from?

https://tracker.debian.org/news/972292/accepted-enigmail-2207ds1-1-source-into-unstable/

ah i missed that version.

  • Is Tails currently having a modified version of enigmail installed? If yes where are the sources for it?

We've shipped 2:2.0.7-2 in Tails 3.11. It comes from our custom APT repository.

But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top. Okay that makes it easier, as I have nothing to keep in mind while testing.

  • how do I can test a new enigmail version in an iso?

Either build a new ISO that pulls the version you want (how to do so exactly fully depends on which version you want), or install the new package in a running Tails. But perhaps that's not what you were asking?

#17 Updated by intrigeri 11 months ago

But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top.

Exactly. We don't hijack/reuse existing Debian package version numbers to ship different code, that would be very confusing. We always append something like .0tails1 when we patch a package.

#18 Updated by hefee 11 months ago

intrigeri wrote:

But if I use dget https://deb.tails.boum.org/pool/main/e/enigmail/enigmail_2.0.7-2.dsc and check debian/changlog, the is no change mentioned, so I assume, that there is no tails specific patch on top.

Exactly. We don't hijack/reuse existing Debian package version numbers to ship different code, that would be very confusing. We always append something like .0tails1 when we patch a package.

Yeah make sense :D It was just unclear for me as you said "stick to our package", in my ears it sounded like a own modified package. But you meant only rebuild for Tails.

Than I can start with a simple test installing the new packages on a live Tails from Debian.

#19 Updated by Anonymous 10 months ago

  • Status changed from Confirmed to In Progress

#20 Updated by hefee 10 months ago

  • QA Check deleted (Dev Needed)
  • Feature Branch set to hefee/bugfix/16186-disable-autocrypt+force-all-tests

#21 Updated by hefee 10 months ago

  • QA Check set to Ready for QA
Tests done on vm by hand:
  • register a new account
  • write an encrypted mail and read an encrypted one
  • used key management to download one key
  • made sure, that Autocrypt is disabled by default

I bundled #15661, #16299, #15657 and #16222, as a new Enigmail version and a new torbirdy version made sense to test together.

#22 Updated by intrigeri 10 months ago

  • Assignee changed from hefee to intrigeri

#23 Updated by intrigeri 10 months ago

  • Assignee changed from intrigeri to hefee
  • QA Check changed from Ready for QA to Dev Needed

I understand we now want the version that's in Stretch, currently: 2:2.0.8-5~deb9u1.

Wrt. 83b10d142f943e1be2e383ab140154f3c5f28334, it's currently a no-op so you can as well revert it to avoid confusion and to avoid having to fix the next issues, which I'll document anyway as a way to share information:

  • Unless I'm mistaken, this will install the version in Stretch even if there's a newer version in the Stretch security repo, which would be bad. That's why, when we need to ensure the version we have in our custom APT repo is not installed, we pin that one to -1 (see e.g. how we deal with gdk-pixbuf) and let our general settings apply. In this case, this approach would also better convey the fact that enigmail shall be handled as part of the general case, not as a corner case.
  • We try to order this file with exceptions first and general settings last. I see this was not respected for electrum but let's not make it worse :)

#24 Updated by hefee 10 months ago

  • Assignee changed from hefee to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

updated branch. Please review again.

#25 Updated by intrigeri 10 months ago

  • Assignee changed from intrigeri to hefee
  • QA Check changed from Ready for QA to Dev Needed

It seems that thunderbird_profile_is_new() does not work anymore: there's now a extensions.json but no extensions.ini. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I'd rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!

#26 Updated by hefee 10 months ago

  • Assignee changed from hefee to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:

It seems that thunderbird_profile_is_new() does not work anymore: there's now a extensions.json but no extensions.ini. I guess a Thunderbird upgrade changed this. As a result, extensions.enigmail.configuredVersion is set to the current version (2.0.8), which skips any upgrade code Enigmail might ship. I know this is not directly related to this branch but I'd rather spend time on testing stuff in this area once only. Can you please fix this on your branch so my testing is not invalidated by this change? Thanks in advance!

Fixed.

#27 Updated by intrigeri 10 months ago

  • % Done changed from 0 to 100
  • QA Check changed from Ready for QA to Pass

Tested, confirmed!

#28 Updated by intrigeri 10 months ago

  • Status changed from In Progress to Fix committed

#29 Updated by intrigeri 10 months ago

  • Assignee deleted (intrigeri)

#30 Updated by anonym 10 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF