Safer way to build Thunderbird snap

Bug #1965664 reported by Opa Koval
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
thunderbird (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Hello dear Canonical team,

the offered Thunderbird snap uses only HTTPS to secure the download of Thunderbird itself and its language packs. At least I found this snapcraft.yaml proving it:
https://git.launchpad.net/~desktop-snappers/thunderbird/+git/snap/tree/snapcraft.yaml?h=stable

Due to recent attacks against HTTPS by changing network routes and creating new trusted certificates for official domains [1], HTTPS alone is not trustworthy anymore. Could you please integrate a check of the SHA512SUMS (an additional GPG check would be the best of course but is maybe not so easy to implement) after downloading Thunderbird itself and all the language packs? The same is already done for the Chromium snap as far as I could see.

Thank you very much!

[1] https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600

Revision history for this message
Olivier Tilloy (osomon) wrote :

This would require an override-pull scriptlet.

Changed in thunderbird (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.