<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
For the record in considering the issue of email signing, Jorge's
experience is the same as mine, namely that he is not aware of
instances of malicious add-ons targeting Thunderbird. I suppose this
is also relevant in the question of deprecated support for XUL and
binary addons which is probably, in the Firefox case, also partially
motivated by security issues.<br>
<br>
That doesn't mean that we can just ignore what Firefox is doing and
go our merry way. It is not reasonable to ask the addon team to
continue to support review and other aspects of Thunderbird addons
if our technology differs greatly from Firefox. Nor are we likely to
be able to support layout code that is no longer used by Firefox. So
I think our position is likely to be, as we have discussed, that we
will eventually do whatever Firefox does, only with a considerable
time lag.<br>
<br>
:rkent<br>
<br>
<div class="moz-forward-container"><br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>Re: [amo-editors-internal] Any known Thunderbird addon
malware?</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Wed, 26 Aug 2015 17:42:30 -0600</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Jorge Villalobos <a class="moz-txt-link-rfc2396E" href="mailto:jorge@mozilla.com"><jorge@mozilla.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>R Kent James <a class="moz-txt-link-rfc2396E" href="mailto:kent@caspia.com"><kent@caspia.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:amo-editors-internal@mozilla.org">amo-editors-internal@mozilla.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:amo-editors-internal@mozilla.org"><amo-editors-internal@mozilla.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>I don't recall any instances of malicious add-ons targeting Thunderbird.
I could be that they exist and just go unreported, but most likely it
just hasn't been a sufficiently juicy target for malware add-on devs.
Jorge
On 8/25/15 5:27 PM, R Kent James wrote:
> Hi,
>
> Kent James here from the Thunderbird project.
>
> We're trying to prepare an official announcement of Thunderbird plans
> for addons given some of the Mozilla changes that have been announced
> recently. The particular issue I'd like to address here is addon signing.
>
> As I understand it, addon signing in Firefox is driven by security
> considerations due to a history of addon malware in the past. We're
> trying to learn if there is a similar history with Thunderbird, as we
> are trying to decide whether to target requiring signed addons for
> some future version of Thunderbird, say Thunderbird 45. The currently
> shipping version of Thunderbird (version 38) does not and will not
> require addon signing. We are leaning toward not requiring addon
> signing in the future Thunderbird 45 either, but still deciding.
>
> I am not aware of any history of significant Thunderbird addon malware
> in the past. Is anyone here aware of any? Are there other sources that
> I should look at to determine this?
>
> As an aside, we agreed today that our official position on binary
> extensions is that they are allowed now (as there are several key
> binary extensions that we use) but those projects have plans to remove
> that requirement in the future. So binary extensions are currently
> allowed but deprecated, and we expect to stop allowing them at some
> point.
>
> R Kent James
> Chair, Thunderbird Project
</pre>
<br>
</div>
<br>
</body>
</html>