element-web: don't inherit jitsi-meet's knownVulnerabilities

[dotlambda]

Description of changes

Use jitsi-meet.src rather than jisti-meet so we're not affected by knownVulnerabilities.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[gador]

This is a semi-automatic executed nixpkgs-review with nixpkgs-review-checks extension. It is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch).

Result of nixpkgs-review pr 335753 run on x86_64-linux 1

3 packages built:

• element-desktop
• element-desktop-wayland
• element-web (element-web-unwrapped)

The following issues got detected with the above build packages.
Please fix at least the ones listed with your changed packages:

element-desktop-wayland:

Package is missing a meta section.
If the package is using runCommand please make sure to inherit or create a meta section.

An empty (vendor) directory got detected.

If this is a go package try replacing vendorSha256 = "0sjjj9z1dhilhpc8pq4154czrb79z9cm044jvn75kxcjv6v5l2m5";
with vendorSha256 = null;

got build log for '/nix/store/74jh8dcwr486qyn8x306afd7apykwyw1-element-desktop' from 'daemon'
When evaluating attribute ‘element-desktop-wayland’:
warning: unused-argument
Unused argument: paths.
Near pkgs/build-support/trivial-builders/default.nix:475:7:

    |
475 |     , paths
    |       ^

[gador]

This is a semi-automatic executed nixpkgs-review with nixpkgs-review-checks extension. It is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch).

Result of nixpkgs-review pr 335753 run on aarch64-darwin 1

3 packages built:

• element-desktop
• element-desktop-wayland
• element-web (element-web-unwrapped)

The following issues got detected with the above build packages.
Please fix at least the ones listed with your changed packages:

element-desktop-wayland:

Package is missing maintainers.
If the package is using runCommand please make sure to inherit or list one or more maintainers.

An empty (vendor) directory got detected.

If this is a go package try replacing vendorSha256 = "0sjjj9z1dhilhpc8pq4154czrb79z9cm044jvn75kxcjv6v5l2m5";
with vendorSha256 = null;

got build log for '/nix/store/30bbaj2jri5w5a1jxb9q9cmaswrsx1q2-element-desktop' from 'daemon'
When evaluating attribute ‘element-desktop-wayland’:
warning: unused-argument
Unused argument: paths.
Near pkgs/build-support/trivial-builders/default.nix:475:7:

    |
475 |     , paths
    |       ^

[github-actions]

Successfully created backport PR for release-24.05:

• [Backport release-24.05] element-web: don't inherit jitsi-meet's knownVulnerabilities #335803

[emilazy]

(Do we actually know that the Jitsi VOIP functionality in Element doesn’t use libolm for its E2E?)

[nim65s]

I think it depends on the jitsi server.
But right now, vodozemac is mentionned in https://jitsi.org/blog/a-stepping-stone-towards-end-to-end-encryption-on-mobile/ but nothing yet is in https://github.com/search?q=org%3Ajitsi+vodozemac&type=code. So: yes, libolm will be used.

[emilazy]

Right, okay. I reported the libolm stuff to Jitsi’s security email when I found it in jitsi-meet but I haven’t yet received a reply (I just missed it: they’ve confirmed a vodozemac migration is planned 4 hours ago). I couldn’t find any tracking issue for the server side of things, either. Thanks for the link to the blog post, but I guess nothing has happened in over two years.

I guess since it’s a server‐side thing we can just punt and say it’s not our problem here, but I wonder if the Element security team would like to know their users are still exposed to libolm after all…

[emilazy]

I’ve reported this to Element.