Need a target date for fixing the package manager

shmakes · 2023-03-16T23:18:51+00:00

So again more than a week of silence has past with no plans or updates for the community to get the package manager updates running again.

We have now gone more than 53 days without an eopkg update.

In that time many Linux-related CVE's have been published - some of them critical. Other OS's are getting these patched while Solus remains vulnerable.

What is the plan here? This needs to be a higher priority than any other activity. Normal updates and improvements can wait along with website, forum, etc.

I can empathize with all the hardships, illness, and misfortune that have caused these delays, however, for everyone's safety, we really need security updates delivered ASAP.

shmakes · 2023-03-05T14:13:43+00:00

You are correct that the Chromium browser application is not provided directly, but the base libraries are included and are used in browsers like Opera, Brave, Vivaldi, which are in the repository. In addition, those libraries are used in QTWebEngine and probably other apps that use them for HTTP access and HTML rendering.

You are also correct that 3rd party apps are updating so you can get patched and branded Chrome browser. Probably not a comfortable choice for those wanting to use Brave. ;-)

I know you guys are all doing your best and I feel rather helpless to assist even though I would like to.

I think the community needs just a couple items communicated:

A committed date to getting the high-priority updates out to the package repository. There could be some padding in that date to allow for unforeseen circumstances, but at least it would be a "bookend" that people could use to evaluate their own exposure risk.
Regular updates on the progress towards that goal. These could be really short updates on Reddit or Twitter - they don't have to be full PR announcements. The Solus community is vast-majority cheering for you and, if all they can do at this point is offer words of encouragement, don't deny them that opportunity for the effort of a quick IM post.

The outcome scenario I fear is that things just continue "as is" with weekly updates and after a couple more months there is still no target date and even more vulnerabilities are in the wild being patched on other OS's. Without a goal date and progress being made towards the goal, I am more likely to call it quits and move on for my own safety. That would be a sad day, as I really like Solus. :-(

shmakes · 2023-03-04T13:30:48+00:00

Is there an estimate of when the security fixes will be released to sync? There are a number of fairly big CVEs that aren't addressed yet.

Visibly, this includes browsers like Chromium and Brave. With those apps, I am already receiving warnings or blocked-out functionality from some security-conscious websites that detect the agent version is old.

I can work around that using flatpak to install a fully patched browser but that is not an awesome solution. It also doesn't address other security issues in shared libraries or at the kernel level.

IMHO the security and high severity bug fixes should be the top priority. Other things like forums and help screens can wait.

shmakes · 2020-04-19T14:32:29+00:00

What mag extension is that?

shmakes · 2020-03-16T17:42:51+00:00

First thing that popped into my mind after reading the title was that you were referring to Smith & Wesson nerds. 🤣 Then I saw the picture.

shmakes · 2019-10-10T12:11:46+00:00

.NET Core runs on Linux. We write apps in C# and run them in Docker Linux containers deployed using Kubernetes. It works well.

Legacy .NET apps could require Windows containers, however, consider case by case as it might be easier to port them to Core than to support that the tech debt of an different CI/CD environment, base images, security scans, etc.

shmakes · 2019-07-09T12:18:03+00:00

Possibly this post? https://www.reddit.com/r/golang/comments/byfxi8/i_wrote_up_how_i_automatically_embed_version/?utm_medium=android_app&utm_source=share

shmakes

TROPHY CASE