You are not logged in.

#1 2024-11-12 20:31:06

daniel_shub
Member
Registered: 2012-06-21
Posts: 89

Dependency on ancient versions of Chrome and Electron

I "maintain" the Remember the Milk AUR package. This is a close source binary package that upstream has not made a new release of in 3 years. The release notes say the package depends on Chrome 91 (91.0.4472.124) / Electron 13.1.7. The package itself builds, installs, and runs fine. I am worried, however, since RTM is closed source software that depends on an ancient versions of Chrome and Electron. Is there anything that I should be doing (apart from switching to todist or some other task list software).

Offline

#2 2024-11-14 10:20:06

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,926

Re: Dependency on ancient versions of Chrome and Electron

Neither your package nor the .deb archive mentions a dependency on electron/chromium .

Extracting data.tar.xz from the .deb does show some system and chromium stuff in /opt/rememberthemilk .

Have you tried moving those away to see if it can use system installed libraries instead ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Online

#3 2024-11-14 14:40:01

seth
Member
Registered: 2012-09-03
Posts: 58,659

Re: Dependency on ancient versions of Chrome and Electron

https://aur.archlinux.org/packages?O=0&K=electron13

Looking around in the RTM forums, the project seems to be in an ICU on life support.
https://www.cvedetails.com/vulnerabilit … 3.1.7.html
No idea whether any of those is relevant to the specific client (it's an online service, not just a glorified atq, is it?)

Offline

#4 2024-11-15 02:06:50

daniel_shub
Member
Registered: 2012-06-21
Posts: 89

Re: Dependency on ancient versions of Chrome and Electron

I haven't tried moving the libraries to see if I can use the system libraries instead. I don't list the electron dependencies because they are packaged with the binary.

As for the project being on life support. It definitely is. They do just enough to keep the mobile apps and website functioning, and that is it. That said, it is pretty much perfect software in my opinion. I am not sure what a glorified atq is.

Offline

#5 2024-11-15 07:58:58

seth
Member
Registered: 2012-09-03
Posts: 58,659

Re: Dependency on ancient versions of Chrome and Electron

I am not sure what a glorified atq is.

https://man.archlinux.org/man/at.1.en

remember () {
	if [ "$1" = "@" ]
	then
		shift
		TOKEN="$*" 
		TIME=${TOKEN%%: *} 
		MSG=${TOKEN#*: } 
		echo "notify-send -t 0 \"$MSG\"" | at "$(date -d "$TIME"  +"%R %F")" || (
			printf "Bad Date"
			sleep 3
			echo
		)
	elif [ "$1" = "help" ]
	then
		echo 'remember [@ timespec : ] what'
	else
		notify-send -t 0 "$*"
	fi
}

Ie. a local scheduler.

If you control 100% of the input, the dated electron doesn't matter as long a it works.
If it receives input (data) from "the internet" (even if it's via your account) you might or not be vulnerable through the listed CVEs (or others)
But since it's a binary-only release there's absolutely nothing you can do about that except bugging upstream to maybe release a rebuild.

Offline

Board footer

Powered by FluxBB