Arch Linux

Related  FS#75490 

18 is orphaned and not required by anything...could easily be dropped?

Yeah, I let it while getting information of what keybase and zettlr could support. Dropping to the AUR right now. 19 will stay a bit longer I’m afraid…

https://aur.archlinux.org/packages/electron18

zettlr supports electron 22 in 3.0.0-beta, keybase supports electron 22 in git HEAD. Current stable releases for both target electron 17.4.

Related: electron20 goes EOL in 2 weeks or so, once 23 is released (it's already in beta). As of now, there's no packages depending on electron20, so it could be dropped easily.

I've tried backporting newer Electron patches for current stable Zettlr builds with no luck, we're waiting for stable builds there. Beta seems to be going well and should be out soon.

Same with Keybase, which is notoriously even harder to keep working with Electron not supported upstream. Also their next release cycle is not looking immanent. We're kind of stuck until they do.

electron17 was last released on 2022-08-01, and doesn't have fixes for many known security vulnerabilities, including:

1. zlib "1.2.11", vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2022-37434 / https://security.archlinux.org/CVE-2022-37434
2. 234 CVEs for Chrome: https://www.cvedetails.com/vulnerability-list.php?vendor_id=1224&product_id=15031

Filed a separate task for electron20, which should be easily dropped: https://bugs.archlinux.org/task/77673

@captn3m0 Nobody here is defending Electron 17, we'll drop it as soon as we can. With two upstream projects that haven't had stable releases yet with anything newer our hands are kind of tied. Zettlr is well aware of the issue and already has a release cycle in the works. Please check the Keybase repo to see what their release cycle is like and add something noting the CVE's if they are not already moving on this to try to speed things up.

All of electron19 dependents have an upstream update to stable electron versions:

- cozy-desktop needs to be updated from 3.36.1 (electron=19) to 3.38.0 (electron=23)
- mattermost-desktop needs to be updated from 5.1.1 (electron=19) to 5.3.1 (electron=23)

Should I create bugs against cozy/mattermost packages, they're already flagged.

As of now we have up to date builds of Electron 22, 23, 24, and 24 in repos. The migration of the rolling release version from 22 to 25 is incomplete, but that isn't a hold up for packages that need to be updated. I would suggest we now need packagers of all the things that depend on EOL versions that *have* upstream updates to apply those now and see where that gets us.

Actual package drops to AUR may be delayed a little while we work on tooling to preserve history across migrations, but I'll take core of them as long as nothing depends on them.

Also for reference, 18 has been dropped, 20 and 21 are ready to be so. We just need 17 and 19 to be cleared up.

Both packages requiring 17 have upstream releases PENDING that will use 23, but are not released yet. 19 is more complex as updates are available for those apps but seem to have build issues.

> 19 is more complex as updates are available for those apps but seem to have build issues.
Please try the attached diffs for cozy-desktop and mattermost-desktop.

diff for zettlr updating to 3.0.0-beta.4 and electron24.

cozy-desktop is in [extra-testing] with your patch.

mattermost-dekstop I had been working on for a while, but I'm curious if you have any comments on my approach. My approach required packaging a couple extra files that were left in the unpacked tree only. Did the way you did it with `exec electron-builder` actually result in a working app entirely in the asar?

zettlr update is building now, just with the version scheme fixed because the way you did it the final 3.0.0 would show up as *older* than the beta.

Zettlr builds but doesn't run. It looks like similar issues to what I ran into with mattermost-dekstop:

https://gitlab.archlinux.org/archlinux/packaging/packages/zettlr

By by 17 and 19, thanks for all the fish. Long live the AUR and may I never need you from there.