On Thu, Dec 20, 2018 at 02:30:49PM -0500, Daniel Kahn Gillmor wrote:
> we're not talking about "all kinds of core libraries" -- we're talking
> about a very selected subset.
Which are used by core system services like systemd, which makes them
core libraries.
> > EOLing enigmail seems the only sensible option by far.
>
> the main issue with EOLing enigmail is that users will (instead of
> upgrading to stable) typically just use the version from
> addons.mozilla.org, which has both non-DFSG-free issues and
> significantly scary behavior (downloading and silently executing
> binaries from the web on the user's behalf).
EOLed packages are discontinued with an advisory advising users of
the EOLed status, so it can explicitly warn about using the version
from addons.mozilla.org. If users then still choose the other options,
well than it's within their freedom.
On a more general level; I'm not sure if there were prior discussions
with Mozilla about that, but ideally addons.mozilla.org would flag addons
which fetch/run additional code so that users can make an educated choice
to opt-out. The current approach is only asking for crypto miners to
hijack addons dependencies in the future...
Cheers,
Moritz
