Fwd: Re: [amo-editors-internal] Any known Thunderbird addon malware?

R Kent James kent at caspia.com
Thu Aug 27 04:01:51 UTC 2015


For the record in considering the issue of email signing, Jorge's 
experience is the same as mine, namely that he is not aware of instances 
of malicious add-ons targeting Thunderbird. I suppose this is also 
relevant in the question of deprecated support for XUL and binary addons 
which is probably, in the Firefox case, also partially motivated by 
security issues.

That doesn't mean that we can just ignore what Firefox is doing and go 
our merry way. It is not reasonable to ask the addon team to continue to 
support review and other aspects of Thunderbird addons if our technology 
differs greatly from Firefox. Nor are we likely to be able to support 
layout code that is no longer used by Firefox. So I think our position 
is likely to be, as we have discussed, that we will eventually do 
whatever Firefox does, only with a considerable time lag.

:rkent


-------- Forwarded Message --------
Subject: 	Re: [amo-editors-internal] Any known Thunderbird addon malware?
Date: 	Wed, 26 Aug 2015 17:42:30 -0600
From: 	Jorge Villalobos <jorge at mozilla.com>
To: 	R Kent James <kent at caspia.com>, amo-editors-internal at mozilla.org 
<amo-editors-internal at mozilla.org>



I don't recall any instances of malicious add-ons targeting Thunderbird.
I could be that they exist and just go unreported, but most likely it
just hasn't been a sufficiently juicy target for malware add-on devs.

Jorge

On 8/25/15 5:27 PM, R Kent James wrote:
> Hi,
>
> Kent James here from the Thunderbird project.
>
> We're trying to prepare an official announcement of Thunderbird plans
> for addons given some of the Mozilla changes that have been announced
> recently. The particular issue I'd like to address here is addon signing.
>
> As I understand it, addon signing in Firefox is driven by security
> considerations due to a history of addon malware in the past. We're
> trying to learn if there is a similar history with Thunderbird, as we
> are trying to decide whether to target requiring signed addons for
> some future version of Thunderbird, say Thunderbird 45. The currently
> shipping version of Thunderbird (version 38) does not and will not
> require addon signing. We are leaning toward not requiring addon
> signing in the future Thunderbird 45 either, but still deciding.
>
> I am not aware of any history of significant Thunderbird addon malware
> in the past. Is anyone here aware of any? Are there other sources that
> I should look at to determine this?
>
> As an aside, we agreed today that our official position on binary
> extensions is that they are allowed now (as there are several key
> binary extensions that we use) but those projects have plans to remove
> that requirement in the future. So binary extensions are currently
> allowed but deprecated, and we expect to stop allowing them at some
> point.
>
> R Kent James
> Chair, Thunderbird Project



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20150826/83c82de7/attachment.html>


More information about the tb-planning mailing list