The Wayback Machine - https://web.archive.org/web/20210817050141/https://github.com/qTox/qTox/issues/5965
Skip to content

/ qTox

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dependencies #5965

Open
quantumpacket opened this issue Jan 22, 2020 · 3 comments
Open

Update Dependencies #5965

quantumpacket opened this issue Jan 22, 2020 · 3 comments
Labels
C-bug D-easy Good first issue M-packaging M-security

Comments

@quantumpacket
Copy link

@quantumpacket quantumpacket commented Jan 22, 2020
edited

I was looking through flatpak/io.github.qtox.qTox.json and noticed we are specifying to use ffmpeg 4.0.1 which has ~60 CVEs. The dependencies table lists an even older version of ffmpeg supported. Would updating it to the latest secure version break anything? If not, how about updating to at least the latest compatible version?

I haven't checked the other dependencies if they have any known CVEs, or where else we may be using potentially vulnerable versions. Maybe it's time to do an audit of dependencies to see what needs to be updated?
@sudden6
Copy link
Member

@sudden6 sudden6 commented Jan 22, 2020

Note that the linked flatpak specification file is not used to build the qTox releases on Flathub, this one is: https://github.com/flathub/io.github.qtox.qTox/blob/master/io.github.qtox.qTox.json

Nevertheless the releases on our Github are built with that version, so we should probably update (and take the file from Flathub as reference). In addtiion, a complete evaluation of the dependencies and build commands for Windows, Linux AppImage, Linux Flatpack and MacOS is also good idea. As long as there weren't any API breaks this should be quite simple.

I would be happy if you can submit a PR. If you need some guidance just ask here.
@anthonybilinski
Copy link
Member

@anthonybilinski anthonybilinski commented Feb 7, 2021

Change to release procedure here: 12fc33e should ensure each of our github releases has as up to date dependencies as the flathub build, so as long as they keep updating deps there this should be resolved for our releases.

ffmpeg specifically in the github release was updated prior to release v1.17.0: 71b5c50

RE: the dependencies table I don't think we should artificially raise our minimum supported version of deps, since some LTS distros may use patched versions. I view this more as a "what range of packages could you use" not "should you use". Generally anyone with the ability to run whatever version of the deps should tend towards the upper end of supported versions.

@sudden6 do you remember what you meant by this?

In addtiion, a complete evaluation of the dependencies and build commands for Windows, Linux AppImage, Linux Flatpack and MacOS is also good idea. As long as there weren't any API breaks this should be quite simple.

Basically that we should go over everything build related unrelated to the flatpak deps?
@sudden6
Copy link
Member

@sudden6 sudden6 commented Feb 8, 2021

Basically that we should go over everything build related unrelated to the flatpak deps?

I think I was talking about making sure that the dependency versions defined in the build scripts are the latest possible ones, ie. the scripts executed for the release.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-bug D-easy Good first issue M-packaging M-security
3 participants
@sudden6 @quantumpacket @anthonybilinski