Open rilysh opened 1 year ago
It's a one person project. The current maintainer of QuiteRSS didn't have any activity at all in GitHub in the last year, not even a single commit to any repository. And in general there was no real activity since 2017 (even in 2017 it was not a lot).
There wasn't a lot of contributors also, and there is only one open pull-request currently.
I don't think that QuiteRSS will survive, since it seems that no one is interested.
QuiteRSS used to be a good RSS reader, but there is no such a greet RSS reader that I would not find problems using it at this point of time (even QuiteRSS has problems).
I think that RSS Guard might be the best alternative just for now, it's even better then QuiteRSS in most things.
Hi, Thank you for your recommendation. I gave RSS Guard a run for a few days, ~it clearly feels eons away from QuiteRSS for the moment and some core functions not yet working make it unusable for me at the moment (e.g., feed/category tree not refreshing when adding new items)~ [Edit: it was my fault, just got answer from support], I think it's worth a try.
I am saddened that QuiteRSS is not maintained anymore but it's a risk we take as users when we adopt free software. There is probably a very valid reason why the authors are not active anymore (not mentioning the obvious) and the only thing we can do is respect their effort and the service they provided all these recent years.
Until someone gets to fork this project and begins actively maintaining it (I wish I could, but it's not my skill-set and I can't afford to learn this trade now), I think we should consider QuiteRSS abandonware. If we also take into consideration the fact that it is a tool used to pull and display runtime web content into users' workstations, and that vulnerabilities will not be fixed, then it should also be considered a potentially harmful program that should never be installed in a production system.
Does github expose a mechanism to report a project as abandoned and to warn users?
@starbuck3000 No, GitHub doesn't provide such features to its users. But what exactly do you mean by "warn users"? I mean, how you'd know who's using this software and who isn't? Also, maintaining someone else's code is actually quite harder as it depends on their code style, needs, and how they implemented it. And C++ is already quite junkie (not to mention, but maintaining C++ standards) than any other OOP language.
Meantime, you can try newsboat, a command line RSS reader. It's well maintained and seems to have a lot of attention.
This week, when I was updating my system, I found that QuiteRSS was moved in ArchLinux from the community repo to the AUR. Looks like one of the maintainers has noticed this.
If we also take into consideration the fact that it is a tool used to pull and display runtime web content into users' workstations, and that vulnerabilities will not be fixed, then it should also be considered a potentially harmful program that should never be installed in a production system.
I don't know how QuiteRSS works, but it uses qt5-webkit
to display web content. This might reduce the vulnerabilities as qt5-webkit
is being updated. But anyway QuiteRSS does some parsing for the content by it self, so still there is a huge risk.
what exactly do you mean by "warn users"?
@rilysh : if you look at issue processing metrics in the last 18 months (e.g., "is:issue created:>2021-08-01 is:closed"), none were closed by the actual maintainers of the program. One of QuiteRSS main functions is to render web content into client computers. The documentation says it embeds webkit-core to render web content from news feeds. This component is regularly subject to critical security patches aimed at protecting client systems from cyberattacks.
I was wondering whether it is safe to allow people to continue downloading this, in particular for Windows systems, in which I doubt many users are keeping embedded qt libraries up-to-date with the latest security patches (my download of quiterss indicates a library dated from June 2019). If my interpretation is correct, I was suggesting that maybe there could be a banner or something alike that tells users that this project is not maintained anymore and that it may pose a risk to be used in production systems.
Maybe if someone contacted GitHub, they might be able to pin the issue?
It would be better if someone was able to contact the author (if he was contactable) to archive this repository and add a warning to README.md. Or maybe just set someone that he trust as an owner of the repository (if he was contactable).
I don't think that there is a thing that we can do, other then contacting Linux distributions repositories maintainers to not ship this application.
Note: The
quiterss.org
domain will be expired by2024-07-02
I assume they're busy with their daily life. Well, indeed, if there's a notice or even a note that QuiteRSS will have fewer or no updates at all, actually might help to new and existing users, but anyways, since there's pretty much no notice, people just keep using this, and the issues keep getting larger.
I'm not really much concerned about security issues. Because Qt webkit engine is "slow" than most other browser engines, they have a very minimal implementation, something which is enough to render most websites. I assume, most users will just check to the original update to the original site, QuiteRSS, mostly for notifying updates, reading newsletter, articles, and probably some other things.
Unless getting RSS update from a sketchy site, security isn't much important as QuiteRSS works a little different way than a browser does its job. A moderate notice about security would be quite enough!
@zer0-x : I'll try reaching out, see if they can put a notice in the root readme. @rilysh : also, cautious users will likely be aware of the risk and stop using it. In my case, it was already running it in a VM specifically because of this lack of updates. I agree with you about the low likelihood of monitoring a feed that would return a compromised payload. However, there is one feed installed in all instances by default: the QuiteRSS feed. I think we should not underestimate that on 2024-07-03, someone could try to takeover the domain and use this feed as an attack vector to exploit hosts running an unpatched webkit. One single IT employee working in a large company would be a reward worth the cost of the domain.
I have used pretty much every feed reader out there and found RSS to be not only feature rich but very user friendly. It's the best by far in my opinion and deserves the most attention.
It's been years since QuiteRSS get last update, but it's still the best RSS reader on the planet. The alternatives like rssguard are still immature.
This is probably the best RSS reader I've used so far. But it's been more than a year, and there seem to be very less changes or bug fixes that have been done. So I'm wondering, will there going to be any update or not?
Thanks.