Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

electron-bin is chronically outdated #295770

Open
yu-re-ka opened this issue Mar 14, 2024 · 4 comments
Open

electron-bin is chronically outdated #295770

yu-re-ka opened this issue Mar 14, 2024 · 4 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: package (update) This needs a package to be updated

Comments

@yu-re-ka
Copy link
Contributor

yu-re-ka commented Mar 14, 2024

The last time the listed maintainers were active was 2015 (@travisbhartwell) and 2018 (@manveru) respectively.
Nobody is doing the regular bumps for security updates of electron-bin. Also the default electron-bin attribute points to the now-unmaintained version electron_26-bin.

It was last updated by:

@yayayayaka in October 2023
delroth in Sept 2023 (but this was part of a one-off tree-wide effort to fix a vulnerability in libwebp)
@teutat3s in July 2023

Currently electron-bin is used in two situations:

  • on darwin
  • In packages pinned to old, insecure versions of electron
    • blockbench-electron (25)
    • breitbandmessung (24)
    • feishin (24)
    • electron-fiddle (24)
    • passky-desktop (22)
    • kuro (22)
    • whalebird (21)
    • etcher (19)
    • indiepass-desktop (19)
    • obinskit (13)
    • hyper-haskell (10)
    • teleprompter (10)

I am also once again questioning the keeping around old versions of electron-bin. This does not match our general policy:

  • The standalone flash player was removed when it no longer received updates, even though it is was still useful to run flash applications.
  • unsupported insecure versions of nodejs were fully removed with a large effort to migrate packages including manual patching, unsupported version combinations, and removal of dead packages which depend on them.

Keeping electron-bin around does generate involuntary maintenance effort through bug reports from users who are not aware which electron build they are using.

@yu-re-ka yu-re-ka added the 9.needs: package (update) This needs a package to be updated label Mar 14, 2024
@mweinelt
Copy link
Member

It should go without saying that we should not be keeping around unmaintained browser runtimes, that have such a large surface area. Getting strong libwebp/libvpx vibes¹²³.


[1] https://video.fosdem.org/2024/h1302/fosdem-2024-1983-remediating-thousands-of-untracked-security-vulnerabilities-in-nixpkgs.av1.webm
[2] #254798
[3] #258048

@mweinelt mweinelt added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Mar 14, 2024
@yu-re-ka
Copy link
Contributor Author

yu-re-ka commented Mar 14, 2024

As I think we have a consensus that the old versions should be removed, I'm tagging the maintainers of packages that depend on them:

I would kindly ask you to help with migrating these packages away from insecure electron versions, and keeping them updated in the future.
I'd explicitly encourage you to hack around, interact with upstream, see if a later electron version maybe works, open an issue to update the electron version in upstream.

@yu-re-ka yu-re-ka mentioned this issue Mar 14, 2024
13 tasks
@wegank wegank mentioned this issue Mar 14, 2024
13 tasks
@yu-re-ka yu-re-ka mentioned this issue Mar 14, 2024
13 tasks
@Weathercold
Copy link
Member

whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125

@yu-re-ka
Copy link
Contributor Author

whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125

Thanks for the response, I'll make sure we can update it

B4dM4n added a commit to B4dM4n/nixpkgs that referenced this issue Mar 14, 2024
Things changed:
- Unpin electron version. Upstream updates usually fix electron incompatibilities and we also have a test which can detect them. (NixOS#295770)
- Add updater script. It scrapes the upstream website for the current version number. Lets hope the website structure doesn't change too much.
- Update to the latest version
yu-re-ka pushed a commit that referenced this issue Mar 15, 2024
Things changed:
- Unpin electron version. Upstream updates usually fix electron incompatibilities and we also have a test which can detect them. (#295770)
- Add updater script. It scrapes the upstream website for the current version number. Lets hope the website structure doesn't change too much.
- Update to the latest version
This was referenced Mar 15, 2024
jlbribeiro added a commit to jlbribeiro/nixpkgs that referenced this issue Apr 12, 2024
Diff: jeffvli/feishin@v0.5.1...v0.6.1
Changelog: https://github.com/jeffvli/feishin/releases/tag/v0.6.1

Feishin now depends on electron_27; electron_25 has been marked
as EOL since 9652f98.

Fixes NixOS#287765 (package update request) and addresses NixOS#295770 (outdated Electron).
yu-re-ka pushed a commit that referenced this issue Apr 12, 2024
Diff: jeffvli/feishin@v0.5.1...v0.6.1
Changelog: https://github.com/jeffvli/feishin/releases/tag/v0.6.1

Feishin now depends on electron_27; electron_25 has been marked
as EOL since 9652f98.

Fixes #287765 (package update request) and addresses #295770 (outdated Electron).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 9.needs: package (update) This needs a package to be updated
Projects
None yet
Development

No branches or pull requests

3 participants