Closed Arcitec closed 2 months ago
Vendicated
commented
2 months ago Vesktop RPM already supports auto update! it should automatically update itself whenever there is an update. and you could also use appimage or flatpak which have their own updaters. So I don't think there is much reason for us to host a repo
the tmp file issue has already been fixed via https://github.com/Vencord/Vesktop/commit/75354ad8e668aa2d43580c96f111a6d08a8545f6 and will make it into the next release
Arcitec
commented
2 months ago Hmm okay, that's surprising. I wouldn't have thought that Vesktop could update itself when it's installed to a system (read-only) location.
Hopefully the app container itself auto-updates, not just the internal web code. Since Electron exploits can appear over time and it's important to have an updated app runtime binary (Electron Chrome Sandbox).
I guess I'll wait and find out if that works. :)
There is a non-zero risk that it behaves exactly like official Discord: Only downloads and runs the internal HTML/JS app (which lives in some writable ~/.local/share/ location), but doesn't update the Electron runtime itself (/opt/Vesktop/chrome-sandbox). If that's the case, a repo like COPR would be necessary for safety.
Glad to see that the temp file issue was fixed by the way. Thanks! :)
Arcitec
commented
2 months ago I read the https://www.electron.build/auto-update page now and it behaves exactly as I feared: It only updates the internal HTML/JS/CSS but doesn't update the Electron runtime (so /opt/Vesktop/chrome-sandbox never gets security fixes). Which will then stagnate over time and have exploits.
That's only solvable by setting up a repo such as COPR. Which can be done via GitHub web hooks so that anytime a release is tagged here at Vesktop, it fetches the source code and makes a RPM automatically.
There's also other build services such as Open Build Service (OBS) which can create package manager repos for a lot of different distros at once. I just remembered it:
I am aware that some projects use OBS for Fedora distribution but I've never tried installing something from their build service on Fedora. I'd assume that it works, and it supports a LOT of distros. It's the official build service of the openSUSE project.
Since security matters to Vesktop, I would strongly suggest considering a move of all distribution to Open Build Service, which means that users of all kinds of distros will have automatic updates of the runtime.
Then your users will receive Vesktop Electron Runtime updates via System updates and will not have old, exploitable Electron bugs. It also helps ensure that the Vesktop application and all of its features are performant and bug-free since Electron improves over time.
Arcitec
commented
2 months ago @Vendicated I just found absolute confirmation that this ticket should be reopened:
https://www.electronjs.org/docs/latest/api/auto-updater
Platform Notices
Currently, only macOS and Windows are supported. There is no built-in support for auto-updater on Linux, so it is recommended to use the distribution's package manager to update your app.
I would recommend the aforementioned Open Build Service since that's gonna nail a lot of distros in one simple build service. :heart:
Can the Open Build Service build package for other distributions ?
Yes, we currently support RPM and debian packages. Beside openSUSE and SUSE Linux Enterprise, we support Debian, Ubuntu, Fedora and Mandriva distributions.
Vendicated
commented
2 months ago I read the https://www.electron.build/auto-update page now and it behaves exactly as I feared: It only updates the internal HTML/JS/CSS but doesn't update the Electron runtime (so /opt/Vesktop/chrome-sandbox never gets security fixes). Which will then stagnate over time and have exploits.
it updates the entire app
I just found absolute confirmation that this ticket should be reopened: https://www.electronjs.org/docs/latest/api/auto-updater
this is not what vesktop uses.
Arcitec
commented
2 months ago this is not what vesktop uses.
Ah okay, thanks again for the clarification then. :) Glad to hear it that you're updating the entire app!
Motivation
I'd like to install Vesktop for my 70 year old mother, but there's no way that she can keep up with installing
.rpmfiles manually.Solution
Is there any chance of creating a Fedora COPR repo? It's possible to make GitHub web-hooks that trigger COPR's infrastructure to automatically build such a repo's RPM file from the latest source code after every release, for example:
https://copr.fedorainfracloud.org/
Then Fedora users can run the following commands:
After that, the repo would be part of the system and vesktop updates would automatically be installed as regular system updates by GNOME Software, KDE Discover, etc.
Edit: I suggest Open Build Service instead. See followup comments.
Alternatives
I considered teaching my 70 year old mother how to run terminal commands. It's about as successful as teaching her to make space rockets, though. :laughing:
Additional context
Additionally, I noticed that the current Fedora RPM that you build installs some temporary build files in
/usr/lib/.build-id.Those files can (and should... :)) be excluded from the RPM packaging. I am not sure about the exact process for that, but possibly something like
rm -rf /usr/lib/.build-idin the RPM build script.However, I think a Fedora COPR build, which is handled automatically by Fedora's own infrastructure, won't have that problem. So that seems like an easier solution.
Request Agreement