Does anyone care about safety here or is this the wrong platform to discuss?
I use TB snap and it’s up to date.
I understand your concerns but from a pragmatic POV the only way is to use the snap.
1 Like
Personally, I use the Mozilla Security PPA to pick these updates up sooner
It’s not an ideal answer, and it would be nice to get the debs sooner by default, I agree 100%, but this has worked well for me.
1 Like
Ok, we are POSITIVE, there are solutions.
BUT, as a long time Ubuntu user, I feel it’s not a good practice to deliver such a security-critical software as TB and not propose security updates on time.
If Ubuntu is not able to do that, I do not judge this - Ubuntu is free, maybe the point would be to not keep TB in repository to force users to use an up to date version (snap or Mozilla PPA, whatever)?
Not everybody cares about its TB versions. My wife never will, e.g. 
(So she uses webmail.)
1 Like
I thank both of you. I am glad others see it the same way!
True, there are the mentioned solutions, snap package and PPA. Unfortunately they only help us. We know how to include a PPA, how to install a snap package and migrate data, that there is an action needed at all.
But the masses remain threatened and most don’t even know it. They just use the preinstalled Thunderbird and don’t read IT news about security. They trust Ubuntu/Canonical, they trust in their expertise regarding security.
What can be done now?
In the short term, probably only staff from other departments of Canonical can assist to expedite delivery. I still don’t understand the problem - why does it take so much longer than publishing Firefox packages, even of major versions?
What can be done for 22.04?
If sufficient capacities cannot be built up, I see following options as well:
a) Replace debian package with snap package, similar to Chromium and Firefox.
b) Remove Thunderbird debian package from standard repositories. Offer another (better supported) or no preinstalled mail client.
Safety comes first, so it’s better not to offer a debian package at all than an insecure one and let people think they are safe.
37 days passed since Thunderbird 91.6.1 packages were prepared and would close CVE-2022-0566.
20 days passed since Thunderbird 91.7.0 packages were prepared and would close CVE-2022-0566 and two more critical issues (CVE-2022-26485, CVE-2022-26486).
oSoMoN built the Thunderbird packages soon after the corresponding versions appeared, so the delay is in the testing and approval process.
So far it has not been answered why testing and approving Firefox packages of similar technology is happening much much faster.
What can we do to resolve this intolerable situation?
Who can we contact to escalate this or to help with tests etc.?
@oSoMoN @alexmurray @sabdfl ?
Ubuntus reputation is at stake, but most of all, most users of Thunderbird are threatened, so what can be done immediately?
FYI Thunderbird 91.7.0 was released for 18.04, 20.04 and 21.10 earlier today - https://ubuntu.com/security/notices/USN-5345-1
@usr11elf Indeed the delay is in the testing and approval process - and unfortunately this takes a certain amount of time. Firefox is given higher priority than Thunderbird because it is a lot more popular than Thunderbird is seeded on the desktop media - and is the default web browser for Ubuntu. With the rise of web-based mail services like gmail etc, desktop email clients have become a lot less popular than they were 10-20 years ago. Thunderbird has not been seeded in the desktop image since before 18.04 LTS as a reflection of this as generally users are not using desktop email clients - most just use the web browser to access their webmail.
As such, testing etc of Firefox updates (and other desktop packages seeded on the desktop image etc) are prioritised over Thunderbird so in general Thunderbird updates will lag behind Firefox updates. Unfortunately in a world where new security issues are found daily across the vast array of software that is distributed in Ubuntu, there is a constant stream of security updates which need to be prepared, tested and released by a finite number of developers. The security and desktop teams have to prioritise which packages to target and so we prefer to take the approach of protecting the greatest number of users as possible by updating the packages that are most used first. Hence why unfortunately Thunderbird updates generally will come later - there are just a lot more users of Firefox (and many other applications) than Thunderbird.
If you are still concerned, the immediate steps you could take would be to either:
- Consume the pre-release updates from the Mozilla Security PPA - but note these have not gone through the full validation so may have stability or other issues
- Switch to the Thunderbird snap - this is generally more up-to-date as it can use the same set of dependencies across all releases and so doesn’t get held up when Mozilla decide to depend on newer technologies/packages than are available on older Ubuntu releases like 18.04
- Switch to using the binaries provided by Mozilla
2 Likes
As a small follow up on the previous post after talking to Alex, he did an error while checking but thunderbird is still installed by default on the desktop image. That doesn’t change the rational though; firefox has more users and is more sensitive so get higher priority in testing.
One change that would help with having thunderbird updates out in more timelined manner is for us to switch to the snap and that’s something we will investigate in the next cycles.
3 Likes
Thanks for the clarification @seb128 - apologies - I will strike out the incorrect parts of the original reply to try and avoid the confusion.
To be complete, what are the problems that cause TB not to be migrated to snap?
I remember the first times of TB snap… @seb128
I reinstalled TB snap back from deb in Jammy recently, it was so straightforward (apart copy/paste of profile).
1 Like
@alexmurray Funny just before I started to write the comment I had checked for updates but there were none. So, many thanks to everyone who was involved and helped! 
Looking out of my filter bubble, I have to say that there are still many people using Thunderbird regularly, companies too. It’s no fun visiting multiple websites, full of ads, with different designs if you have more than one email account.
Many people switched to mobile apps to communicate with each other, indeed. But for companies email still plays a very important role.
Regarding the difference in usage of Firefox and Thunderbird, do you have any numbers for me?
But Thunderbird is preinstalled, so it must still be important enough and that’s how I see it too.
All right, so
- Thunderbird can have critical security issues and there are not enough people to test and approve the platform specific Thunderbird builds within few days (like for Firefox), as would be appropriate.
- There are enough relevant users of the preinstalled Thunderbird out there that need to be protected.
So, what can be done the next time a critical issue occurs? I suggest the following options:
- a) Shorten the test and approval period. The new Thunderbird version is the officially released and already tested one. A really short test like 15 minutes per platform (3) should be enough. Don’t expect any build problems - oSoMoN probably had already fixed them in build2 in the previous phase.
- b) Replace debian package with snap package. Don’t wait for next cycles. Functionality must not take precedence over security.
- c) Remove the Thunderbird debian package from Ubuntu’s repositories since it cannot be operated safely.
Which option would you choose?
So, the dust has settled, jammy is out, which option did Canonical choose to improve the situation regarding Thunderbird updates?
Thunderbird 102 snap, candidate channel.
Works well, as far as I can see.
Cannot be more updated!
2 Likes
Time to bump.
There are serious security flaws in Ubuntu’s TB deb (91.11).
I do use the snap (102.3, perfectly updated). But as an Ubuntu supported deb, that’s no good to let users silently rely on a version that is flawed.
So, again: will TB deb be updated or transitioned to snap?
For a real apples-to-apples discussion about security, please reference specific CVEs that you have run through the Ubuntu CVE tracker
1 Like
That does not assume anything. That’s just a fact.
https://www.thunderbird.net/en-US/thunderbird/91.13.1/releasenotes/
Since I do use TB snap, I won’t spend time on this. But, as I saw this Mozilla security warning, I remembered this thread.
The Ubuntu CVE tracker shows quite a few CVEs for the Thunderbird package on Ubuntu 22.04 that are in state “Needs triage” or “Needed”. Among them is for example CVE-2022-2505, which is listed with priority “high” on https://www.mozilla.org/en-US/security/advisories/mfsa2022-32/ for Thunderbird 102.1 and as “needed” in the Ubuntu CVE tracker. This was just the first CVE that I looked at, likely not the only one. So it does seem like an update to Thunderbird is needed?
The 102.2.2 update has been released to the different supported series now
I still do use TB snap (that does work as intended, at least for my usage).
I’ve just noticed that TB deb is 102.4 in Jammy.
There are many security issues since this one: https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ .
So, nothing personal as I do use the snap, but IMO something has to be done, an email client is not a tiny security detail. Is there a deb-to-snap transition project?