Hi, Am 16.10.18 um 11:00 schrieb Narcis Garcia: > An obvious vulnerability for user is to not be able to use Enigmail for > encryption.
yes, the problem here is Enigmail, not Thunderbird! But I don't see that this as a vulnerability per se from a security perspective. And you still can install the Mozilla AddOns manually into FF and TB. It's a loosing of comfort and easy usage of the system provided packages, but not more for the typical single user cases on a machine or laptop. The AddOns for FF and TB will always be special as these software is in a heavy flow and development. Packaging such software is by this also always a walk on the edge because you will need to follow the upstream development really closely. And happily dkg is taking this challenge really seriously! > Repository inconsistency is a major (and more clear) vulnerability. I see no inconsistency, at maximum we have some lag behind upstream versions. How will you do automatic encryption *without* the enigmail package? And is this a security problem? And being not able to send automated encrypted email is not a vulnerability as you still can use gpg on the command line and encrypt your content obviously with less comfort, and it's your decision. And again, you can still install Enigmail from upstream. So hey, that's life. For all other things we have Conflicts and Breaks in the package management system. Debian is made by people in their free time, so it will happen again and again that some parts are not completely on the edge. And the decisions what will happen in Debian is made by their participants, I invite you to become a member so you can help actively to make Debian better for your needs. > Next versions of Mozilla software should not be at "main" repository, > same as with HPLIP occurs. The main criteria for main is DFSG clean software not if a software are made by a specific vendor or group. The hplib package is in main because it fulfills the DFSG requirements. I suggest you take a look into the DFSG to understand better how Debian is working. -- Regards Carsten Schoenert
