Slow Thunderbird updates endanger users

@alexmurray Funny just before I started to write the comment I had checked for updates but there were none. So, many thanks to everyone who was involved and helped!

Looking out of my filter bubble, I have to say that there are still many people using Thunderbird regularly, companies too. It’s no fun visiting multiple websites, full of ads, with different designs if you have more than one email account.
Many people switched to mobile apps to communicate with each other, indeed. But for companies email still plays a very important role.
Regarding the difference in usage of Firefox and Thunderbird, do you have any numbers for me?
But Thunderbird is preinstalled, so it must still be important enough and that’s how I see it too.

All right, so

• Thunderbird can have critical security issues and there are not enough people to test and approve the platform specific Thunderbird builds within few days (like for Firefox), as would be appropriate.
• There are enough relevant users of the preinstalled Thunderbird out there that need to be protected.

So, what can be done the next time a critical issue occurs? I suggest the following options:

• a) Shorten the test and approval period. The new Thunderbird version is the officially released and already tested one. A really short test like 15 minutes per platform (3) should be enough. Don’t expect any build problems - oSoMoN probably had already fixed them in build2 in the previous phase.
• b) Replace debian package with snap package. Don’t wait for next cycles. Functionality must not take precedence over security.
• c) Remove the Thunderbird debian package from Ubuntu’s repositories since it cannot be operated safely.

Which option would you choose?

So, the dust has settled, jammy is out, which option did Canonical choose to improve the situation regarding Thunderbird updates?

Thunderbird 102 snap, candidate channel.
Works well, as far as I can see.

Cannot be more updated!

Time to bump.
There are serious security flaws in Ubuntu’s TB deb (91.11).

I do use the snap (102.3, perfectly updated). But as an Ubuntu supported deb, that’s no good to let users silently rely on a version that is flawed.

So, again: will TB deb be updated or transitioned to snap?

For a real apples-to-apples discussion about security, please reference specific CVEs that you have run through the Ubuntu CVE tracker

That does not assume anything. That’s just a fact.
https://www.thunderbird.net/en-US/thunderbird/91.13.1/releasenotes/

Since I do use TB snap, I won’t spend time on this. But, as I saw this Mozilla security warning, I remembered this thread.

The Ubuntu CVE tracker shows quite a few CVEs for the Thunderbird package on Ubuntu 22.04 that are in state “Needs triage” or “Needed”. Among them is for example CVE-2022-2505, which is listed with priority “high” on https://www.mozilla.org/en-US/security/advisories/mfsa2022-32/ for Thunderbird 102.1 and as “needed” in the Ubuntu CVE tracker. This was just the first CVE that I looked at, likely not the only one. So it does seem like an update to Thunderbird is needed?

The 102.2.2 update has been released to the different supported series now

I still do use TB snap (that does work as intended, at least for my usage).
I’ve just noticed that TB deb is 102.4 in Jammy.
There are many security issues since this one: https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ .

So, nothing personal as I do use the snap, but IMO something has to be done, an email client is not a tiny security detail. Is there a deb-to-snap transition project?

It’s the same good news as in Post #3 of this topic.

While folks are concerned that something-needs-to-be-done, something actually was (and still is) being done: Thunderbird 102.7 is currently in the testing PPA https://launchpad.net/~ubuntu-mozilla-security/+archive/ubuntu/ppa/+packages

Should the post there maybe be closed? There is no real discussion and the topic provides little value