olm: update vulnerability description #338006
Conversation
There was a problem hiding this comment.
Thanks. I am nervous about adding more wording in our own voice to this message since the whole matter has become so controversial and the message is already so long; I would prefer to keep it brief and avoid spending much copy on any specific post so that users get the necessary background and can make their own assessments from the links. I think that “It is not known that the issues can be exploited over the network in practical conditions.” is still accurate – it is, thankfully, not known that that can be done – but we can mention that upstream does not consider that likely to change. I was planning to replace the TWIM link with this statement since it supersedes it in my view (just as I replaced the HN comment with the TWIM link).
sumnerevans
force-pushed
the
olm-vulnerability-notice-update
branch
from
4f893c9
to
40bf790
Compare
Additional information has been published by upstream about why they believe the vulnerability to not be exploitable over the network: https://matrix.org/blog/2024/08/libolm-deprecation/ This commit * updates the text of the vulnerability warning to indicate that upstream does not believe the issues to be exploitable over the network, and * adds a link to the blog post. Co-authored-by: Emily <[email protected]> Signed-off-by: Sumner Evans <[email protected]>
sumnerevans
force-pushed
the
olm-vulnerability-notice-update
branch
from
40bf790
to
537d3c4
Compare
|
The wording in this PR seems much stronger than upstream's statements to me:
vs.
I definitely don't see this as implying that they expect distributors or end users to take action, and marking the packages as vulnerable has the IMO fairly severe consequence of resulting in them not being built by Hydra. |
|
The wording is inherited from #334638, and is based on the upstream statement in the libolm repository:
so it’s almost a direct quote. Not much to say beyond that as all sides were pretty thoroughly hashed out in the original PR. |
|
FWIW I don’t have any objection to building libolm on Hydra (we have a mechanism for exceptions to the blanket exclusion of marked‐insecure packages from Hydra builds), but I think we concluded there was no need to because none of the reverse dependencies are particularly heavy builds. If there are clients that would be particularly painful for users to build (maybe Nheko, since it’s C++?), then it seems reasonable to consider adding |
Exactly: the nheko developers said they don't have immediate plans to switch to |
|
An exception for the Hydra permitted insecure packages list would be okay in my view. That means it can still be built on Hydra but the user has to override the warning to use it. Hiding the message entirely on an ad-hoc basis is not. |
So, basically here we have both the upstream developers of the library and the client saying these vulnerabilities are basically non-issue; yet we are breaking setups unless they read a super technical wall of text, follow the instructions and accept the shame of having vulnerable software in their computer. Okay, I guess this is useful if you're someone like Ed Snowden, but for the average Joe, it's a terrible user experience. |
|
(Replied in #341831 (comment).) |
Description of changes
Since the known vulnerability was added, additional information has been
published by upstream about why they believe the vulnerability to not be
exploitable over the network:
https://matrix.org/blog/2024/08/libolm-deprecation/
This commit updates the text of the vulnerability warning with
additional information from the blog post as well as a link to the blog
post.
Signed-off-by: Sumner Evans [email protected]
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.