I was working with the Solus Linux team to get Mailspring to be available in their packages. However, when I did so, they pointed out several security issues they found, which is why they had previously pulled it. They checked it again and found that they stated that they still exist. This is obviously concerning.
Hey @clintre , thanks for the post! Sounds like the concern is that Mailspring uses an older version of OpenSSL? ( I see your post also references an old version of our JSON parsing library, but I’m not aware of any security implications of that)
We’re planning on dropping support for Ubuntu 16, Ubuntu 18 and other old versions of linux soon and that should allow us to move to a newer version of OpenSSL. It’s actually getting difficult to continue building Mailspring for those ancient linuxes for other reasons too.
Yeah, I just mainly wanted to point out what they were finding. I actually ran a static analysis, and it did not come up, but they posted their findings when I was trying to get Mailspring in their repos and then noticed the SSL that they were referring to. I cannot use Snap and the unofficial Flatpak version doesn’t work, so wanted to see about getting a native package there.
For now using Distrobox to run it, but it is not ideal.
You bet! I read through the discussion you linked and I think I’m up to speed on this again.
I’ll see if we can move toward using the system version of OpenSSL and drop support for old linux releases. I think long ago when we started the project, we were actually shipping a /newer/ version of SSL than was present on many linux distros, but now almost 8 years later, it’s an older version, not a best practice, and definitely a security issue.