Revert "[Backport release-23.05] electron_{22,24}-bin: Mark EOL"

[kalbasit]

Reverts #262556

I don't see the value in marking Electron < 25 as EOL when release-23.05 is going to be EOL in less than two months anyways. With #262556 merged packages that are still using an older Electron are now broken and require work to make them build again. I attempted to blindly cherry-pick all the changes to Bitwarden on the master branch to the release-23.05 branch and the build failed leading me to believe that this was just not worth it as it requires extra work for little gain.

[wegank]

I don't see the value in marking Electron < 25 as EOL when this branch is going to be EOL in less than two months anyway post releasing 23.11.

No. It (EDIT: Electron itself, regardless of NixOS versions) is EOL, which is why the PR has been merged.

[vcunat]

I also got confused, but they probably meant that NixOS 23.05 is EOL in about two months.

Our usual workflow for a stable NixOS release is to remove/EOL before that NixOS release happens if upstream EOL is expected to happen during its duration, but we don't always manage to do that.

[kalbasit]

Sorry for the confusion. Yes, I meant that 23.05 is EOL in about two months. I understand that Electron 24 is EOL and that's a security risk but disallowing it on the 23.05 branch has blocked packages that are depending on it. I think we should merge this to unblock those packages (again it's stable so why mess with it).

[vcunat]

The main difference/purpose between stable NixOS and frozen commit is exactly in security updates.

[vcunat]

Theoretically what I see a "clean" option is to defer this until an actual security issue is known and hope it won't happen (before 23.05 EOL). But will "we" even know when it happens?

[kalbasit]

The main difference/purpose between stable NixOS and frozen commit is exactly in security updates.

Agree for the most part. But if that "security update" breaks stable software but does not address any actual CVE, I don't think it can be considered a security update. If we were dealing with an actual CVE then I would have spent the time to fix Bitwarden (and other packages if any) instead of opening a revert PR.

Theoretically what I see a "clean" option is to defer this until an actual security issue is known and hope it won't happen (before 23.05 EOL). But will "we" even know when it happens?

Don't we have a process to flag CVEs against our packages? 🤔

[vcunat]

I'm not aware of a process really. And I meant it more like: do people even bother finding out whether an EOL version is vulnerable? (anyone, even outside nixos.org project)

knownVulnerabilities is often a list of (some) CVE strings, but I don't expect you asked that.

[vcunat]

I got perhaps too deep into meta-questions. This will best be considered by people that are actually connected to electron in some way 😄

[wegank]

Closing since NixOS 23.05 is EOL.