You are not logged in.
I "maintain" the Remember the Milk AUR package. This is a close source binary package that upstream has not made a new release of in 3 years. The release notes say the package depends on Chrome 91 (91.0.4472.124) / Electron 13.1.7. The package itself builds, installs, and runs fine. I am worried, however, since RTM is closed source software that depends on an ancient versions of Chrome and Electron. Is there anything that I should be doing (apart from switching to todist or some other task list software).
Offline
Neither your package nor the .deb archive mentions a dependency on electron/chromium .
Extracting data.tar.xz from the .deb does show some system and chromium stuff in /opt/rememberthemilk .
Have you tried moving those away to see if it can use system installed libraries instead ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Online
https://aur.archlinux.org/packages?O=0&K=electron13
Looking around in the RTM forums, the project seems to be in an ICU on life support.
https://www.cvedetails.com/vulnerabilit … 3.1.7.html
No idea whether any of those is relevant to the specific client (it's an online service, not just a glorified atq, is it?)
Offline
I haven't tried moving the libraries to see if I can use the system libraries instead. I don't list the electron dependencies because they are packaged with the binary.
As for the project being on life support. It definitely is. They do just enough to keep the mobile apps and website functioning, and that is it. That said, it is pretty much perfect software in my opinion. I am not sure what a glorified atq is.
Offline
I am not sure what a glorified atq is.
https://man.archlinux.org/man/at.1.en
remember () {
if [ "$1" = "@" ]
then
shift
TOKEN="$*"
TIME=${TOKEN%%: *}
MSG=${TOKEN#*: }
echo "notify-send -t 0 \"$MSG\"" | at "$(date -d "$TIME" +"%R %F")" || (
printf "Bad Date"
sleep 3
echo
)
elif [ "$1" = "help" ]
then
echo 'remember [@ timespec : ] what'
else
notify-send -t 0 "$*"
fi
}
Ie. a local scheduler.
If you control 100% of the input, the dated electron doesn't matter as long a it works.
If it receives input (data) from "the internet" (even if it's via your account) you might or not be vulnerable through the listed CVEs (or others)
But since it's a binary-only release there's absolutely nothing you can do about that except bugging upstream to maybe release a rebuild.
Offline