-
-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
element-web: don't inherit jitsi-meet's knownVulnerabilities #335753
Conversation
This is a semi-automatic executed nixpkgs-review with nixpkgs-review-checks extension. It is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 3 packages built:
The following issues got detected with the above build packages.
element-desktop-wayland:
Package is missing a meta section. An empty (vendor) directory got detected. If this is a go package try replacing vendorSha256 = "0sjjj9z1dhilhpc8pq4154czrb79z9cm044jvn75kxcjv6v5l2m5"; got build log for '/nix/store/74jh8dcwr486qyn8x306afd7apykwyw1-element-desktop' from 'daemon'
|
This is a semi-automatic executed nixpkgs-review with nixpkgs-review-checks extension. It is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 3 packages built:
The following issues got detected with the above build packages.
element-desktop-wayland:
Package is missing maintainers. An empty (vendor) directory got detected. If this is a go package try replacing vendorSha256 = "0sjjj9z1dhilhpc8pq4154czrb79z9cm044jvn75kxcjv6v5l2m5"; got build log for '/nix/store/30bbaj2jri5w5a1jxb9q9cmaswrsx1q2-element-desktop' from 'daemon'
|
Successfully created backport PR for |
(Do we actually know that the Jitsi VOIP functionality in Element doesn’t use libolm for its E2E?) |
I think it depends on the jitsi server. |
Right, okay. I reported the libolm stuff to Jitsi’s security email when I found it in I guess since it’s a server‐side thing we can just punt and say it’s not our problem here, but I wonder if the Element security team would like to know their users are still exposed to libolm after all… |
I’ve reported this to Element. |
Description of changes
Use
jitsi-meet.src
rather thanjisti-meet
so we're not affected byknownVulnerabilities
.Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.