Closed ghost closed 7 months ago
Thanks for your message! Got a few questions about this change. I want to clarify that the 2.13 branch of the Jackson library is still being maintained, and version 2.13.5 is free from any known vulnerabilities. You can check it out yourself here: https://github.com/FasterXML/jackson/wiki/Jackson-Releases. Note that Signal is using an older version, 2.12.0.
It's true that the maintenance cycle is winding down for 2.13. Because of this and a few other reasons, we're gonna increase the minimum Android version requirement to 8.0 very soon.
One aspect to consider in security is availability. We could have kept the latest version 2.15.3, but that would have left Molly users on Android 7 and 7.1 unable to migrate. The app crashed on startup, and they wouldn't be able to back up their data.
Regarding supporting old Android versions, check out my comment at https://github.com/mollyim/mollyim-android/issues/108#issuecomment-1272499853.
Is there an existing issue for this?
Bug description
Disclaimers:
I know this section is not the right one. I tried to reach you using Matrix, but on my IPad (with lockdown mode) both Element and Element X are unbearable and completely unusable (I can’t even search for rooms).
By writing this “issue”, I’m not implying that the project is not secure nor the developers should not be trusted. I’m simply asking a question!
So, I saw a commit made by valldrac that downgrade a third party library (Jackson) from 15.3 to 13.5 in order to keep compatibility with Android Nougat (for reference: https://github.com/mollyim/mollyim-android/commit/4d3ba651b918c705fb145944966667def5e1de43)
According to Google, Android Nougat represents only the 2.6% of the total users (~ 3/100) (for reference: https://www.gizchina.com/2023/10/30/android-version-distribution/
Basically, about of 100 people, ~ three people are using a phone running Nougat.
Recently, Google removes support Nougat from Google Chrome due to the lack of users. (For reference: https://www.91mobiles.com/hub/google-chrome-end-support-android-nougat/)
My opinion: Molly is an hardened fork of Molly; as such, it should priorities security over usability, where possible. Supporting really old version of Android (which are very insecure because they lack proper hardware and security updates (I think this brings up issue #108) and downgrading libraries (which may have security vulnerabilities unpatched) seems counterintuitive since we are talking about a project who made a lot work in order to make it signal more secure.
So, what I wonder is: is this a right choice for Molly ? (Again, i’m just asking, I’m not implying nothing)
Steps to reproduce
No response
Molly version
v6.39.2-1
Android version
No response
Device
No response
Link to debug log
No response