Packaging annealmail WIP

HulaHoop · February 22, 2018, 5:59pm

Here is a rudimentary package for annealmail the codecrypt plugin for Thunderbird. The Debian folder was generated by debhelper and dh_make, cruft cleaned up manually using pointers from lintian and pushed to git. Building was not tested again:

Still finding my way around git so please be gentle.

I would like to be able to set things to rebase off of upstream changes to benefit from changes straight away.

Patrick · February 22, 2018, 8:11pm

You don’t actually commit to Debian branch. Therefore, do once:

git branch -D debian
git push yourgithubusername :debian

Then.

git remote add adre https://github.com/adrelanos/annealmail-2.0.git

git fetch adre

git checkout adre/debian

Create local debian branch.

git branch debian

Checkout.

git checkout debian

Not sure that works, I use git so much that I can make sense of any output and error messages but I guess that’s it.

One commit on top by me.

GitHub - adrelanos/annealmail-2.0 at debian

github.com/annealmail/annealmail

signed git tags / signed git commits

opened 07:59PM - 22 Feb 18 UTC

adrelanos

For better security, could you please sign all upcoming git commits and git tags…? It's useful in case github [gets hacked](http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted) again in case [SSL CA's](https://en.wikipedia.org/wiki/DigiNotar) get [hacked](http://www.scmagazine.com/two-more-comodo-resellers-owned-in-ssl-hack/article/199620/) again. * https://github.com/blog/2144-gpg-signature-verification * https://help.github.com/articles/signing-commits-with-gpg/ * https://github.com/micahflee/onionshare/issues/221#issuecomment-231510525 * http://mikegerwitz.com/papers/git-horror-story

Cannot test to build it for security reasons. I don’t speak the language. Cannot say if there is nothing malicious in the source code. Cannot even gpg verify the code by upstream since it is not signed (issue referenced above). Even if I did speak the language or if it is simple, it is just too much to review.

debian/copyright needs fixing. Debian will be adamant about this. Some examples:

bindp debian/copyright
corridor debian/copyright
whonix-ws-kde-desktop-conf debian/copyright

Also lintian --pedantic will complain if debian/copyright is not ok.

 ${shlibs:Depends}, 
 ${misc:Depends}, 
 ${xpi:Depends},
Recommends:
 pinentry-x11,
 ${xpi:Recommends},
Provides:
 ${xpi:Provides},
Enhances:
 ${xpi:Enhances},
Breaks:
 ${xpi:Breaks},

Any ones that can be removed without lintian complaining? If lintian complains, keep, otherwise, please remove.

Will these be actually substituted with something? ${xpi:Breaks} etc are variables substituted by debheper. When you unpack the created .deb. package, look at that debian/control (and others files) for actual result.

HulaHoop · February 22, 2018, 9:28pm

Is it still worth working on this with this fact in mind? One might argue that there is a high possibility that not every line of every Debian package was ever reviewed. Reproducible builds don’t change this though they guarantee that no one put any special Easter eggs in the binaries.

Patrick · February 23, 2018, 1:21am

signed git tags / signed git commits · Issue #11 · annealmail/annealmail · GitHub

this project hasn’t been updated for a while. I doubt it will get updated in the near future

Basically, project is dead/abandoned, shouldn’t use?

Yes, since it is a collaborative effort. Perhaps can be mentioned here: Debian Packaging · Issue #10 · annealmail/annealmail · GitHub Perhaps someone else will help out.

I wonder about that one. Could you please discuss all of this with the debian-mentors mailing list or on their IRC?

True. Reproducible only helps us to confirm that the source code that one claimed to have used to create a binary was really the source code claimed to have been used. The actually source code still needs to be manually audited and no automation for that is conceivable at the moment.

Patrick · February 23, 2018, 1:24am

As per Annealmail Thunderbird Add-on · Issue #17 · exaexa/codecrypt · GitHub… Perhaps if packaging/building is done, Debian privacy applications team might be interested to help out? https://alioth.debian.org/projects/pkg-privacy/

Depends on what task seems too daunting to them. If part of the work is done, perhaps they’d have some insight for above question and/or be willing to help?

HulaHoop · February 23, 2018, 5:26am

I was mentally looking past this because I thought “Its based on Enigmail which is pretty sturdy” - except that some pretty serious problems were discovered and fixed in a security audit sponsored by Mozilla and Posteo at the end of last year. Changes that are almost definitely not included in annealmail becuase its now a couple of years old and not being rebased on more recent versions or updated.

I’m thinking of doing my duty and notifying annealmail’s author anyway though likely its not going to change anything.

github.com/annealmail/annealmail

Serious security problems fixed in Enigmail 1.9.9

opened 05:35AM - 23 Feb 18 UTC

closed 01:11PM - 23 Feb 18 UTC

HulaHoopWhonix

Hi I understand you aren't actively maintaining annealmail at the moment. I just… wanted to let you know (and also other users) that some major sec vulnerabilities that break security completely have been discovered in Enigmail last December and that they apply to annealmail by virtue of being based on it - until rebasing on the fixed version 1.9.9 For more info see: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf https://posteo.de/en/blog/security-warning-for-thunderbird-users-and-enigmail-users-vulnerabilities-threaten-confidentiality-of-communication cc/ @adrelanos

Given these developments I don’t think we should waste any more effort on packaging. As a general rule, security software should be extremely well maintained to be considered for inclusion by default.