FS#72077 - [thunderbird] 91.1.0 disables all addons and does not trust addons.thunderbird.net

Attached to Project: Arch Linux
Opened by Jonathon (jonathon) - Wednesday, 08 September 2021, 21:35 GMT
Last edited by Levente Polyak (anthraxx) - Wednesday, 08 September 2021, 23:06 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 8
Private No

Details

Description:

It seems that Thunderbird 91 has made an internal move from addons.mozilla.org to addons.thunderbird.net but this new site is not trusted by Thunderbird. This breaks existing addons and prevents installation of new ones.

The workaround taken by other distros is to disable addon signing:

```
# Disable enforcing that add-ons are signed by the trusted root.
MOZ_REQUIRE_SIGNING=
```

However, this seems like a hacky workaround.

Thunderbird also states that 91 is not an upgrade for 78, "Thunderbird 91 is only offered as direct download from thunderbird.net and not as an upgrade from Thunderbird version 78 or earlier. A future release will provide updates from earlier versions."

As a note, their official binary does trust addons.thunderbird.net, so either they have some "secret sauce" or they have disabled signing in their build.


Additional info:
* https://bbs.archlinux.org/viewtopic.php?pid=1992018#p1992018
* https://github.com/NixOS/nixpkgs/issues/134433

Steps to reproduce:
* Upgrade to 91.1
* Start
* Addons have been disabled
* New addons will not install
This task depends upon

Closed by  Levente Polyak (anthraxx)
Wednesday, 08 September 2021, 23:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  91.1.0-2
Comment by Martin (MartinX3) - Wednesday, 08 September 2021, 21:43 GMT Comment by Jonathon (jonathon) - Wednesday, 08 September 2021, 21:46 GMT
Heh. The upstream "solution" is to never expect signed addons for Thunderbird (even though apparently it will trust addons from addons.mozilla.org...). -.-
Comment by Martin (MartinX3) - Wednesday, 08 September 2021, 21:50 GMT
*To never expect signed addons from addons.thunderbird.net :P
But yes, it's a workaround.
Maybe they killed their root certificate or something.
Or forgot to update it.
Weird people.

LIke the people from OpenSSL not updating their docs to reflect the 3.0.0 release.
Comment by Jonathon (jonathon) - Wednesday, 08 September 2021, 21:52 GMT
Oh, missed that bit. To me, that solution is somehow even worse. XD
Comment by Martin (MartinX3) - Wednesday, 08 September 2021, 21:55 GMT
Yes and sadly the other mail clients in linux are not as usable as thunderbird. :(
Comment by Levente Polyak (anthraxx) - Wednesday, 08 September 2021, 21:59 GMT
Please do not use comments for chit-chat.

Thunderbird addons are simply not signed upstream and the change that hit thunderbird initially came from firefox. There is no secret sauce, the official one just disabled the signing setting, which is a firefox default. The solution is to pull in:

https://hg.mozilla.org/comm-central/rev/56c3c3a87360

Loading...