electron-bin is chronically outdated

[yu-re-ka]

The last time the listed maintainers were active was 2015 (@travisbhartwell) and 2018 (@manveru) respectively.
Nobody is doing the regular bumps for security updates of electron-bin. Also the default electron-bin attribute points to the now-unmaintained version electron_26-bin.

It was last updated by:

@yayayayaka in October 2023
delroth in Sept 2023 (but this was part of a one-off tree-wide effort to fix a vulnerability in libwebp)
@teutat3s in July 2023

Currently electron-bin is used in two situations:

• on darwin
• In packages pinned to old, insecure versions of electron
  • blockbench-electron (25)
  • breitbandmessung (24)
  • feishin (24)
  • electron-fiddle (24)
  • passky-desktop (22)
  • kuro (22)
  • whalebird (21)
  • etcher (19)
  • indiepass-desktop (19)
  • obinskit (13)
  • hyper-haskell (10)
  • teleprompter (10)

I am also once again questioning the keeping around old versions of electron-bin. This does not match our general policy:

• The standalone flash player was removed when it no longer received updates, even though it is was still useful to run flash applications.
• unsupported insecure versions of nodejs were fully removed with a large effort to migrate packages including manual patching, unsupported version combinations, and removal of dead packages which depend on them.

Keeping electron-bin around does generate involuntary maintenance effort through bug reports from users who are not aware which electron build they are using.

[mweinelt]

It should go without saying that we should not be keeping around unmaintained browser runtimes, that have such a large surface area. Getting strong libwebp/libvpx vibes¹²³.

---

[1] https://video.fosdem.org/2024/h1302/fosdem-2024-1983-remediating-thousands-of-untracked-security-vulnerabilities-in-nixpkgs.av1.webm
[2] #254798
[3] #258048

[yu-re-ka]

As I think we have a consensus that the old versions should be removed, I'm tagging the maintainers of packages that depend on them:

• blockbench-electron: @ckiee blockbench: 4.8.1 -> 4.9.4, build from source, rename package #279795
• breitbandmessung: @B4dM4n breitbandmessung: 3.3.0 -> 3.6.0 #295875
• feishin: @onny feishin: 0.5.1 -> 0.6.1, build from source #303638
• electron-fiddle: @andersk
• passky-desktop: @akkesm passky-desktop: bump electron version #296603
• kuro: @LostAttractor kuro: bump electron version and do cleanup #296483
• whalebird: @WolfangAukang @uninsane @Weathercold whalebird: 5.0.7 -> 6.0.4 #284125
• etcher: @wegank etcher: remove #295853
• indiepass-desktop: @WolfangAukang indiepass-desktop: remove #295882
• obinskit: @Shou obinskit: remove #296146
• hyper-haskell: @rvl hyper-haskell: remove #295854
• teleprompter: @Scriptkiddi teleprompter: remove #295852

I would kindly ask you to help with migrating these packages away from insecure electron versions, and keeping them updated in the future.
I'd explicitly encourage you to hack around, interact with upstream, see if a later electron version maybe works, open an issue to update the electron version in upstream.

[Weathercold]

whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125

[yu-re-ka]

whalebird can’t be updated due to missing v2 yarn lockfile support in nixpkgs #284125

Thanks for the response, I'll make sure we can update it