Closed probonopd closed 1 month ago
The segfault does not happen when passing in a runtime with --runtime-file
.
@TheAssassin maybe we should just call curl
and/or wget
from the system and call it a day?
Also segfault on Linux.
btw, I expect appimagetool to include the runtime (as in previous builds). I don't want my (long) build process to all of the sudden download a binary and possibly break due to network/download issues, or the runtime is broken for some reason.
It's also a major security concern. The build process downloads an unknown binary and inject that into something you distribute to users.
I have no problems using --runtime-file=
, but I think the old way was preferred (and more secure).
@TheAssassin please let's take this into consideration. I have to agree with @rodlie.
It's also a major security concern.
I disagree.
The build process downloads an unknown binary and inject that into something you distribute to users.
Well, 99% of all users download the binary from GitHub directly without any means of verification. There is no difference to just downloading the runtime from GitHub as well.
(and more secure).
Not really, at least for the vast majority of users.
@TheAssassin please let's take this into consideration. I have to agree with @rodlie.
You're ignoring alternative solutions at this point in favor of a rightfully obsoleted setup that caused trouble all the way. I wouldn't mind adding some cryptographic verification (indeed, I'm very much for this option in general, even for the CLI variant).
All of this is off topic, though. You should open a new issue.
The reason was that I updated the appimagetool and all of the sudden it starts downloading stuff, this is not expected behavior based on previous versions and should be documented somewhere that the application downloads additional resources during use (if this is documented it should be more visible).
Anyway, do whatever you want. I will replace appimagetool with a simple shell script.
On-topic: it segfaults on CentOS 7.9.
P.S.:
btw, I expect appimagetool to include the runtime (as in previous builds)
The reasons I'm objected to this are manifold, but I am unwilling to reiterate all the arguments, honestly. There was a really long discussion back when we moved appimagetool into this repository about it. After a long back and forth, the better arguments won, leading to this situation. That is not an excuse for not actually using cryptography to verify the downloaded runtime See #44.
and more secure
I had a quick glance at the build.sh
(which I wanted to do with CMake, as it'd make a lot more sense, but it was agreed on that @probonopd will have to take care of this mess) and it downloads plenty files without any verification. One should add some file hashes there.
@rodlie please open a new issue.
Fixed by #45.
@rodlie please retest. I tested it successfully on CentOS 7.9 (and on FreeBSD 14.0-RELEASE/helloSystem). We will document the need to either provide an already-downloaded runtime, or have appimagetool download the latest one automatically.
Can be reproduced using a Live ISO from https://github.com/helloSystem/ISO/releases/tag/experimental-13.2