[SRU request] Update Thunderbird to 115.x (as 102.x is EOL)

Status changed to 'Confirmed' because the bug affects multiple users.

Update from Thunderbird 68 to 78 left us without security updates for over 6 months:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1895643

TB 78 to 91 took 4.5 months without security patches:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1949605

For TB 91 to 102 the gap has been 3.5 months:
https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1990886

Thanks Qwerty Chouskie for bringing this up before EOL of TB 102!
Let's hope for a smoother transition this time. :)

I've added Olivier Tilloy to the bugmail since they seem to be the one that managed the previous updates. If there's anything I can do to help move this forward so we don't end up with another multiple-month lack of security updates, let me know, I'll do what I can to help.

I'm not working on firefox/thunderbird updates any longer. I've subscribed ~mozillateam, hopefully the update is already being prepared.

Thanks ~osomon for your efforts over the past years to keep Thunderbird running! And I apologize for being so pushy on updates all the time.

Now I sincerely hope that someone at ~mozillateam will take on this important task soon. Time of security updates for tb 102 is running out in less than two weeks from now and the existing snap package of thunderbird is no adequate replacement for LTS users.

I'm more than willing to help testing the 115 update, when it comes. :)

So please keep us updated!

Hi folks,

I've subscribed ~seb128, as he's one of the main folks working on Thunderbird updates currently. Seb tells me he will be starting on this shortly, probably next week. :-)

Test builds of Thunderbird 115.x are available at https://launchpad.net/~mozillateam/+archive/ubuntu/thunderbird-next

I added the PPA and upgraded, everything was smooth (though I had to re-sign-into one of my email accounts).

I did run into a regression with the 115 series, so I opened an upstream bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1849284). I don't think this issue should hold back the upgrade though, just wanted to mention it.

Thanks Rico!

I had more or less the same update experience like Qwerty Chouskie. Had to re-enter into my test mail account but aside from that I didn't see any problems. Sending, receiving and searching for mails works as expected. I'm not a huge fan of the new UI but well ... better that than no security updates. For accessibility and security reasons I have always been using only the text mode. So I'm not affected by that upstream regression. Anything else to test?

As a side note for those wanted to be sooner on the new serie or to try it, you can install the snap version of thunderbird which is on 115 already.

The deb update is likely to take longer since major version updates require more work and bring more risk of regressions

In the meantime until 115.x, can the outstanding security updates for 102 be rolled out? The deb is still on 102.13.0 while Mozilla has released security fixes up to 102.14.

According to https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/ the highest CVE fix is 'high' there, I will try to squeeze that this week but it might wait for 102.15 next week, meanwhile you can use the snap if you prefer to be an uptodate version

I think you can safely assume that all readers here know, that the snap exists and is updated in a timely manner.

The problem is that the deb that is in use on many many machines lacks behind so much and for so many years now, while users think they have a secure and up-to-date system.

I really don't understand why this is possible, while the need for up-to-date browsers is common sense. A mail client is just as exposed and security-critical as a browser.

The 115.x test build provided by Rico seems to be fine. So I don't see what's stopping you from pushing the update. If I miss something as a non-developer, please tell us whats the problem. In any case, thunderbird updates have to get faster...

/edit: Maybe like for Firefox SNAP is the long term solution to this but as long as the deb exists and is widely used it should not be neglected!

I installed "thunderbird - 1:115.2.0+build2-0ubuntu0.22.04.1~mt1" from thunderbird-next on my Jammy test VM. Played around but didn't find any errors. Thunderbird 115 and all my Addons work as expected. Is there anything special to test? If not, I'd ask you to push the 115.2 update! :)

After the regression reported by Qwerty Chouskie turned out to be expected behavior (https://bugzilla.mozilla.org/show_bug.cgi?id=1849284#c8), I don't see any reason to hold back TB 115.2 Update any longer.

@Sebastian: Please don't spend more time on 102.x, when 115.2 is ready and the future of Thunderbird anyway.

I'm using the thunderbird-next package on my 20.04.3 machine for some days now without any hassle.

The 102.15.0 update got prepared and will be published next week.

Note that all mentioned CVEs are addressed in 102.15.0 as well.

the 102.15.0 update are stagged in the security ppa so there is no need to pause those updates, that's the last version on that serie

sorry but not matching the theme color is an annoying regression still in 115, https://bugzilla.mozilla.org/show_bug.cgi?id=1849509

we will work on updating to 115 but that's probably going to take a bit, until then you will get the current 102 fixes or use the snap to get 115.2, at your conveniance

I've been watching the situation around the outdated Thunderbird package for quite some years now, and I have to speak up as well.

It's ridiculous to have a discussion about "regressions" through recolored buttons in an otherwise fully functional mail client version, while at the same time security vulnerabilities remain unpatched for months. You guys really need to rethink your priorities! I would understand if there was a long term option to stay with familiar Thunderbird 102. But since probably nobody wants and has the time to backport security fixes every 14 days, this option doesn't exist.

Read the linked issue!

Thunderbird developer writes, "[changed color behavior, people complaining on] is a conscious decision we made to simplify our UI" and after that closes the issue as resolved/invalid.

Package maintainer calls it "quite a visible user regression and I think we will consider as a blocker to update stable series from 102 to 115".

Come on! Since this color change is quite noticeable in use, it must be assumed that it was introduced intentionally.
There are functional changes from Thunderbird 102 to 115, that not everyone may like, but the color of buttons is a matter of taste, not a "regression"!

Mail clients are software designed mainly to work with, not just to look at. I know that Ubuntu is strict about introducing regressions through updates, what is a good thing in general. But with browsers, the lesson was learned long time ago, that up-to-dateness and security takes precedence over optics, individual taste and minor (and sometimes even large) regressions.

That's how mail clients have to be treated as well.

So unless there are real regressions please stop this discussion and roll out version 115 soon!

> while at the same time security vulnerabilities remain unpatched for months

we just updated to 102.15.0 so there is currently no unpatched security vulnerabilities

Thunderbird 102.15.1 and 115.2.2 are out and fix a "critical" issue (CVE-2023-4863)
See: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/

Please push the updates here and to thunderbird-next. Thanks! :)

Keep in mind, that this might be the final security fix coming to Thunderbird 102.
As I don't see any progress in the color discussion (here and over at mozilla) I'd again push for a transition to 115 in the very near future. Please don't wait until the first unfixed security issue pops up!

Now we have reached the point, from which security vulnerabilities rated as "high" will stay unfixed in Thunderbird 102!
https://www.mozilla.org/en-US/security/advisories/mfsa2023-43/

The CVEs CVE-2023-5169, CVE-2023-5171 and CVE-2023-5176 got fixed in Thunderbird 115.3 but stay open in TB 102.

So please don't wait any longer and push TB 115.3!

@Rico: I left CVE-2023-5174 and CVE-2023-5168 out on purpose because according to Mozilla these two vulnerabilities only affect Windows users.

The 115 update is being worked on, unfortunately it requires a newer nodejs than the version currently available in 22.04 to build (12.22.12 vs 12.22.9). We will need to figure out if we can revert that requirement somehow or if updating nodejs as a stable update is doable...

Thunderbird 115.0 came out 11 weeks ago, first confirmed working Test build 6 weeks ago but after that the focus seems to have shifted back from bringing TB 115 towards TB 102 maintenance and fighting evil button colors.

Now, when Mozillas transition phase is completely over, the first real show stopper pops up?!?

This is exactly, what S. Auer described in many words as "wrong priorities".
Major Thunderbird package updates have been going like this for many years now.
I am really disappointed. :(

The real issue is that our previous thunderbird maintainer left and we didn't get a new member to replace him and the other team members have more than enough to do already. I'm doing my best to get the updates out but I'm not that familiar with the project and I'm also busy, if anyone wants to step up to help instead of complaining about our priority being wrong that would help...

Also issues like having to be able to update nodejs in a stable Ubuntu serie to build a newer thunderbird should make us consider phasing out the deb in favor of using a snap as we did for firefox...

Meanwhile it seems that the depends requirement doesn't need to be as strict so for this round we should be able to just lower the depends in a patch, new builds have been uploaded to the security ppa for 115.3.1 on the different series

> Also issues like having to be able to update nodejs in a stable Ubuntu serie to build a newer thunderbird should make us consider phasing out the deb in favor of using a snap as we did for firefox...

Funny, I was just about to say this :)

People on Reddit will be mad but from both a security standpoint it seems it's the right thing to do. Hopefully this switch can get done in time for 24.04 LTS.

Thunderbird 115.3.1 got released to all supported series.