is keybase abandoned?

nallekarhu · 2023-12-29 19:53:43

I'm wondering if keybase is abandoned on Arch? It has been flagged out-of-date since July, and the latest upstream release in October was noted as security upgrades.

yochananmarqos · 2023-12-29 21:22:40

Go ahead and build 6.2.3 and see if it works. I'm guessing if it did, it would have already been updated. The current PKGBUILD has a couple patches and workarounds. If you get it to work, submit a merge request on GitLab.

EDIT: Fixed typo

Last edited by yochananmarqos (2023-12-30 14:46:43)

nallekarhu · 2023-12-29 23:15:41

The latest release is 6.2.3 and it is available in AUR as keybase-bin 6.2.3_20231016183016+06cb935ee3-1 and it works fine. I'm just curious why the Arch official version hasn't been updated, especially since the latest release is a security upgrade.

Trilby · 2023-12-29 23:32:18

Did you read yochananmarqos's post at all?

If you want to use the -bin version provided by upstream and it works for you great. But if you want proper system package built from source to work with other system components, you need to wait for the maintainer to address any of those challenges, or you can contribute to doing as as noted in the previous comment here.

nallekarhu · 2023-12-30 01:24:44

No need to get upset Inspector. I thought this was a user forum, sorry, my bad. I won't post here again..

mpan · 2023-12-30 03:04:52

If anybody has similar issues in the future, please see the note in the last paragraph below.

Regarding this particular situation, as reported by OP, and the security fixes: I neither use keybase nor know the environments involved in this situation (Electron), but it appears to me the fixes are not affecting Arch Linux’s keybase package.

Looking at changes between keybase 6.2.2 and 6.2.3, the only security-related one potentially affecting Arch would be the one fixing the WebP vulnerability. According to chrisnojima, one of the main contributors to keybase/client:

chrisnojima wrote:

we do not display webp images in the electron nor mobile apps so my understanding is we are not affected by this as we do not attempt any decode (source)

So keybase seems unaffected. Nonetheless there is a guard added just in case a WebP image would ever slip into the program.

Whatever happens in keybase’s source, WebP vulnerability in electron is fixed since 22.3.24. Arch rolled out electron 22.3.24 3 months ago. So even without that patch, Arch’s keybase seems to not be vulnerable.

General advice
If there are security vulnerabilities in a package lingering behind the upstream, and upstream’s version addresses them, open a bug report for the package. This will bring maintainer’s attention to the issue much better than marking the package as out-of-date or complaining on the forum. It will also provide proper tracking for the situation and likely help others being informed about the current state of things. While doing so, please first put some minimum effort into verifying the issue. If uncertain, it’s certainly better than make an invalid report than leave a gaping security hole in software. But show some respect to maintainers’ time by at least trying to research the situation and making a proper, clear, complete report.

Trilby · 2023-12-30 04:05:45

I'm not upset. But I think the first person who responded to you might have grounds to be: you completely disregarded their input as if it wasn't even there and just repeated your question.

Last edited by Trilby (2023-12-30 04:06:41)

nallekarhu · 2023-12-30 06:33:58

I didn't think I ignored the first response, I replied that the latest release 6.2.3 was already built for Arch, and available in AUR. From other replies I seem to be able to gather the answer to my original question: keybase is not orphaned and it's okay not to have the latest release because the security problems have either been fixed and/or don't affect Arch. Look, I'm just a user, and I don't know what WebP or electron are. I use the AUR version and it works fine, but other people are more comfortable with official packages. And when it
comes to Keybase, we still use it, and it works just the same as before Zoom purchased the company

Allan · 2023-12-30 07:54:13

nallekarhu wrote:

I didn't think I ignored the first response, I replied that the latest release 6.2.3 was already built for Arch, and available in AUR.

Not really... it is a prepackaged Debian thing being jerry rigged to fit into an Arch package. That is quite different.

loqs · 2023-12-31 14:56:37

keybase 6.2.3 included an update to electron26 [1] which is in the process of being packaged [2], it currently does not build [3].

[1]: https://github.com/keybase/client/commi … 855ee6c5e7
[2]: https://gitlab.archlinux.org/archlinux/ … electron26
[3]: https://gitlab.archlinux.org/archlinux/ … requests/1

nesta · 2024-01-01 00:04:02

I'm not sure this is related to the `keybase` package being outdated or not... but apparently the API endpoint it is configured to call is returning an invalid (unknown issuer) SSL certificate;

endpoint is: https://api-0.core.keybaseapi.com/

example output from `keybase stat`

$ keybase status
▶ INFO Starting keybase.service.
▶ ERROR PushHandler: failed to run teamHandler handler: API network error: doRetry failed, attempts: 3, timeout 1m0s, last err: Get "https://api-0.core.keybaseapi.com/_/api/1.0/team/for_user.json?compact=1&user_team_version=11": tls: failed to verify certificate: x509: certificate signed by unknown authority [tags:platform=linux,apptype=desktop,GRGRONCONN=aydGHnfwL5SB,chat-trace=nDXWLhA5WlSO,CHTBKG=3Bh_jZLTr1O-,GRGIBM=GmsFFjxJVoCP,user-agent=linux:Keybase CLI (go1.20.5):6.0.2]
▶ INFO Failed to check server for revoked in GAPU: API network error: doRetry failed, attempts: 3, timeout 5s, last err: Post "https://api-0.core.keybaseapi.com/_/api/1.0/device/for_users.json": tls: failed to verify certificate: x509: certificate signed by unknown authority [tags:CFG=fK-wT75TnGdI,EXTSTATUS=SPvO9pkCFBpa,GAPU=eLA_foOSvwWA]

...

... actually, just did some research, and it looks like there's an upstream dumpster fire going on;

* updating CA: https://github.com/keybase/client/commi … 7703d0019f
* issues reported: https://github.com/keybase/client/issues/26088

a new release that fixes this may impact the urgency of getting the community `keybase` package fixed up.

loqs · 2024-01-01 14:06:41

@nesta does rebuilding the current package upstream's fix resolve the issue for you? (I can not fork any more repo's on Arch's gitlab so I can not host it there or submit a merge request):

diff --git a/PKGBUILD b/PKGBUILD
index 3f00437..72eae7f 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -21,17 +21,21 @@ makedepends=(git
 _archive="$pkgbase-v$pkgver"
 source=("$_url/releases/download/v$pkgver/$_archive.tar.xz"{,.sig}
         keybase-gui
-        0001-Don-t-use-electron-to-build.patch)
+        0001-Don-t-use-electron-to-build.patch
+        https://github.com/keybase/client/commit/fbebbc9f1ba29e21ae6d3ee2edc21a7703d0019f.patch)
 sha256sums=('22e5ae4d1f951ea9f3ffc3cb74de9b9f41b828b2c8a4e5cb6401de6fbccf497b'
             'SKIP'
             '7459a6846ff24c2bf7e6ab1ce31880829cf2692f23ffb3bf77e455f4de7ca34e'
-            '74fd7a777275bdf2128f121e27f722f692302a50d89c6c1d3ec82df1deaffee3')
+            '74fd7a777275bdf2128f121e27f722f692302a50d89c6c1d3ec82df1deaffee3'
+            '5a46d9433efb4244509d26fdf04340fb628de1d19a4dff6944510f9bba69d378')
 validpgpkeys=('222B85B0F90BE2D24CFEB93F47484E50656D16C7') # Keybase.io Code Signing (v1) <code@keybase.io>
 
 prepare() {
 	ln -sf "${_archive/$pkgbase/client}" "$_archive"
 	cd "$_archive"
 
+	patch -p1 -i ../fbebbc9f1ba29e21ae6d3ee2edc21a7703d0019f.patch
+
 	export GOPATH="$srcdir/.gopath"
 	mkdir -p "$GOPATH"/src/github.com/keybase
 	ln -sf "$PWD" "$GOPATH"/src/github.com/keybase/client

Arch Linux

#1 2023-12-29 19:53:43

is keybase abandoned?

#2 2023-12-29 21:22:40

Re: is keybase abandoned?

#3 2023-12-29 23:15:41

Re: is keybase abandoned?

#4 2023-12-29 23:32:18

Re: is keybase abandoned?

#5 2023-12-30 01:24:44

Re: is keybase abandoned?

#6 2023-12-30 03:04:52

Re: is keybase abandoned?

#7 2023-12-30 04:05:45

Re: is keybase abandoned?

#8 2023-12-30 06:33:58

Re: is keybase abandoned?

#9 2023-12-30 07:54:13

Re: is keybase abandoned?

#10 2023-12-31 14:56:37

Re: is keybase abandoned?

#11 2024-01-01 00:04:02

Re: is keybase abandoned?

#12 2024-01-01 14:06:41

Re: is keybase abandoned?

Board footer