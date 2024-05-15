flatpak security updates
zero day CVE-2024-4761 is already updated on chrome from version 124.0.6367.207, is flatpak vivaldi 6.7.3329.29 already safe from this attack, and how can i check such a thing in the feature?
@guyc1800 6.7.3329.31 is the latest with security fixed.
I will ask who maintains the current .31 flatpak.
@guyc1800 Yes, seems maintainer did not upload.
Deb and RPM packages are up-to-date.
@DoctorG thank you
@guyc1800 Perhaps Flatpak 6.7....31 is uploaded tomorrow.
Oh I did but flathub is not infrastructure we control. I requested a test build of .31 4 hours ago
https://github.com/flathub/com.vivaldi.Vivaldi/pull/54
One of these must be created before you can start the merge process. Any even after that it is not instant. After testing another build has to be done for release. Then it has to be "published" and even after that there is caching, so it does not arrive immediately.
FWIW this is my test build request, still waiting
https://buildbot.flathub.org/#/buildrequests/486392
The backlog on the flathub's infrastructure appears to be related to the mass rebuilding of a bunch of KDE apps (presumably due to a KDE bump). Once that backlog is through and Vivaldi is built (4 times [two architectures in test then stable form]) I can push the publish button and then you can wait for the build.
The reason the rpm and deb are done is purely because we maintain the entire infrastructure to build and host them.
We could similarly have our own flathub repo but at this stage that is overkill as despite me being maintainer, the flatpak is still not official.
All this said, the build you have is pretty safe and you should not worry too much. I know a little more about the security situation and without saying too much (as I can't yet) I would not feel overly concerned yet.
@guyc1800 said in flatpak security updates:
zero day CVE-2024-4761 is already updated on chrome from version 124.0.6367.207, is flatpak vivaldi 6.7.3329.29 already safe from this attack
Yes 6.7.3329.29 has this changelog entry
https://update.vivaldi.com/update/1.0/relnotes/6.7.3329.29.html
Note that it includes fixes for both
CVE-2024-4761 and CVE-2024-4671.
The Chromium version for 6.7.3329.29 is 124.0.6367.219. Go to https://echo.vivaldi.com and scroll to the bottom and look at uaFullVersion: if you would like to confirm that for yourself.
Ok test build is done and works. Now an official build has been scheduled at 1715797207 (UNIX time)
https://buildbot.flathub.org/#/buildrequests/486728
$ date -ud @1715797207 Wed May 15 18:20:07 UTC 2024
which is about 40 minutes ago as I write this. But … there is still a backlog of other builds that are also waiting to be built. The wait queue seems to be around 2 hours long right now.
When it is done I will have a chance to push publish but even then you might wait an hour before cache clears and it is available on flathub.
If I do not catch it when it is done and push publish, it would autopublish anyway after about 3 more hours (from when the build completes).
One way or another you will likely get it today I reckon.
But if you can not wait you could always checkout the git repo and build locally. That was already updated 45 minutes ago. The repo is here: https://github.com/flathub/com.vivaldi.Vivaldi
On the plus side you now have a better idea about the release process and will understand why it is unlikely to be right up to date immediately after a release.
It should also be obvious why we could not use "flathub" to host snapshots. Snapshot users hate waiting!
@Ruarí Thanks for telling us how the generation of a flatpak package is done at Flathub and that you have no influence on speeding this up.
@Ruarí said in flatpak security updates:
But if you can not wait you could always checkout the git repo and build locally. That was already updated 45 minutes ago. The repo is here: https://github.com/flathub/com.vivaldi.Vivaldi
Just to expand on that for any impatient, "power users" who find this post, the following is the basic build process to build locally (though you might also need some build dependencies)
git clone https://github.com/flathub/com.vivaldi.Vivaldi.git cd com.vivaldi.Vivaldi flatpak-builder --user --install --force-clean build-dir com.vivaldi.Vivaldi.yaml
If you ever wanted a newer version than is listed in the git repo at that time, after the
cdstep just edit "com.vivaldi.Vivaldi.yaml" first, in a similar way to this commit, changing the version number on the URL line and updating the sha256sum to reflect the latest package (of that version)—you only need to change the parts for the architecture you are building. Then when you run
flatpak-builderit would build that version instead.
Maybe this is not useful for everyone but perhaps someone here finds it handy one day.
@Ruarí said in flatpak security updates:
One way or another you will likely get it today I reckon.
This queue is slooooow. I think now more likely you will get it tomorrow.
Ok, it is updated
$ flatpak --user remote-info flathub com.vivaldi.Vivaldi ID: com.vivaldi.Vivaldi Ref: app/com.vivaldi.Vivaldi/x86_64/stable Arch: x86_64 Branch: stable Collection: org.flathub.Stable Download: 174.9 MB Installed: 409.4 MB Runtime: org.freedesktop.Platform/x86_64/23.08 Sdk: org.freedesktop.Sdk/x86_64/23.08 Commit: 9b843c09cd9b25888eed75a8fa2c72da0ff845e73a30dcf5810cdd9a088a30cb Parent: 8515b8afb794594e5c133dfd6005176d8eb26f420cc8748b7a48da993167eb4b Subject: Update vivaldi.deb to 6.7.3329.31 (7a708d49) Date: 2024-05-15 23:41:54 +0000
@Ruarí That will make Flatpackers happy.