Project

General

Profile

Feature #7626

Bug #11082: Replace Liferea

Investigate using Thunderbird & TorBirdy as the RSS reader

Added by intrigeri over 3 years ago. Updated 7 days ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
05/05/2016
Due date:
% Done:

100%

QA Check:
Feature Branch:
Type of work:
Security Audit
Blueprint:
Starter:
Affected tool:
Feed Reader

Description

This should be done against the questions raised in https://trac.torproject.org/projects/tor/wiki/torbirdy#IsitsafetosubscribetoRSSfeedswithThunderbirdandTorBirdy:

  • Is automatic fetching disabled?
  • Is HTML disabled?
  • Is JavaScript disabled?
  • Are proxy settings respected? (this is out of scope as far as Tails is concerned so not stricly required as part of this ticket)
  • Are there other anonymity implications?

Related issues

Related to Tails - Feature #5663: Return to Icedove Resolved 10/16/2013
Related to Tails - Feature #7625: Persistence preset: RSS feeds Confirmed 07/20/2014
Related to Tails - Feature #11399: Audit Icedove and TorBirdy as feed reader in Tails Duplicate 05/05/2016

History

#1 Updated by intrigeri over 3 years ago

#2 Updated by BitingBird almost 3 years ago

  • Affected tool set to Email Client

#3 Updated by sajolida almost 2 years ago

I'm using it myself already. It works fine but I'm not volunteer for more than testing :)

#4 Updated by sajolida over 1 year ago

  • Parent task deleted (#7625)

#5 Updated by sajolida over 1 year ago

  • Parent task set to #11082

#6 Updated by sajolida over 1 year ago

  • Type of work changed from Test to Discuss

What would it actually take to validate Icedove as the new recommended RSS feed reader? It works for me but do we want to:

  • Do some security audit? Liferea was becoming scarry because it allows JavaScript (#9429). Does this apply to RSS feeds in Icedove with TorBirdy? Personally I see only plain text when checking my feeds in Icedove.
  • Look for other features that Liferea had and Icedove might be missing?
  • Could we find volunteers to do check this?

Marking this as a discussion for the next meeting so we agree on the requirements for removing Liferea from the ISO.

#7 Updated by intrigeri over 1 year ago

  • Do some security audit? Liferea was becoming scarry because it allows JavaScript (#9429). Does this apply to RSS feeds in Icedove with TorBirdy? Personally I see only plain text when checking my feeds in Icedove.

One the one hand, if we deem it's good enough for dealing with untrusted content coming from email, it can as handle it for content from RSS feeds. OTOH, IIRC TorBirdy disables HTML email support (and thus, scary things like JavaScript) by default; right? Does it do the same for RSS feeds? ("I see only plain text" suggests it does, but if would be nice if it was confirmed by looking at the code.)

  • Look for other features that Liferea had and Icedove might be missing?

I don't think it's worth it. To be perfectly blunt: I personally doubt that anyone actually uses Liferea in Tails.

#8 Updated by sajolida over 1 year ago

  • Type of work changed from Discuss to Security Audit
  • Starter deleted (No)

Sure, so what needs to be done is to check the handling of RSS in TorBirdy's code. Changing the Type of Work accordingly.

Actually they have an FAQ marked as TODO about this: https://trac.torproject.org/projects/tor/wiki/torbirdy#IsitsafetosubscribetoRSSfeedswithThunderbirdandTorBirdy

So I sent a mail to Sukhbir to pick his brain about initial issues, pointers, etc.

#9 Updated by sajolida over 1 year ago

  • Affected tool changed from Email Client to Feed Reader

#10 Updated by u over 1 year ago

Sukhbir started to modify the TorBirdy code recently:

  • To disable checking of new articles on startup and after a fixed interval, add an overlay which disables both these settings after a new RSS account is created. This is similar to what we are doing with the manual email configuration wizard.
  • Disable HTML for RSS feeds

see https://github.com/ioerror/torbirdy/commits/master commits from may 11th and 12th 2016.

#11 Updated by intrigeri 7 months ago

  • Assignee set to anonym
  • Target version set to Tails_3.0

We're seeing issues in 3.0~betaN with Liferea, and we prefer spending our time moving to Thunderbird instead of debugging Liferea.

#12 Updated by anonym 7 months ago

  • Target version changed from Tails_3.0 to Tails_3.2

#13 Updated by intrigeri 6 months ago

#14 Updated by u 6 months ago

#15 Updated by u 6 months ago

  • Subject changed from Investigate using Icedove as the RSS reader to Investigate using Thunderbird & TorBirdy as the RSS reader
  • Description updated (diff)

#16 Updated by u 6 months ago

  • Related to Feature #11399: Audit Icedove and TorBirdy as feed reader in Tails added

#17 Updated by intrigeri 3 months ago

  • Target version changed from Tails_3.2 to Tails_3.5

#18 Updated by intrigeri 3 months ago

#19 Updated by u 3 months ago

u wrote:

Sukhbir started to modify the TorBirdy code recently:

  • To disable checking of new articles on startup and after a fixed interval, add an overlay which disables both these settings after a new RSS account is created. This is similar to what we are doing with the manual email configuration wizard.

This is currently working in Torbirdy from Stretch.

  • Disable HTML for RSS feeds

This works correctly too.

#20 Updated by u 3 months ago

More:

Looks good!

The only downside I see is the UX for adding a feed which works but at first sight it's hard to find what you need to do and where.

#21 Updated by intrigeri 12 days ago

FWIW I've switched my personal RSS/Atom setup to Thunderbird (outside of Tails, on Debian sid) a couple days ago. I'll be happy to share feedback about how it works for me if it helps, after I've used it for a month or three.

#22 Updated by sajolida 9 days ago

I also switched the feed reader of my Debian to Thunderbird some weeks ago to take it back under control.
On my Tails I've been using Thunderbird exclusively for years.

#23 Updated by intrigeri 7 days ago

  • Assignee deleted (anonym)
  • Target version deleted (Tails_3.5)

Also available in: Atom PDF