On 27 February 2024 02:12:57 GMT+01:00, [email protected] wrote: >Request #52583 has been Rejected by serebit [1]: > >This package should be deleted because it compromises the security of >the systems on which it is installed. This package is a customized >electron build that the maintainer uses for his personal projects, >which use Electron as a web browser to navigate some streaming media >websites. It essentially duplicates the functionality of the >`electron` packages, but with incorrect naming and unknown >modifications. In addition to creating a man-in-the-middle scenario, >this package compromises the security of its users by disregarding >upstream security recommendations. Notably, Electron is *not* a web >browser. Although it uses the same rendering engine as Chromium, it is >not Chromium, and it does not have the same security features Chromium >does. On the contrary, Electron intentionally has reduced security >because it is intended for desktop apps, not web browsing. At >[Security](https://www.electronjs.org/docs/latest/tutorial/security), >Electron developers state: > A security issue exists whenever you >receive code from an untrusted source (e.g. a remote server) and >execute it locally. As an example, consider a remote website being >displayed inside a default BrowserWindow. If an attacker somehow >manages to change said content (either by attacking the source >directly, or by sitting between your app and the actual destination), >they will be able to execute native code on the user's machine. The >maintainer's apps that use this package do what Electron devs describe >avoiding: ``` const mainWindow = new BrowserWindow(...) ... >mainWindow.loadURL('https://...') ``` This package also has multiple >packaging defects that the maintainer is resistant to fixing. Even if >they were fixed, the security implications described above would >remain. * Does not guard path variables with quotes. Paths may contain >spaces, which would not only break the script, but could damage users' >systems. * Uses pkgrel in download link. Link will break when pkgrel >is bumped. * Potentially missing provides/conflicts, since this is >duplicating function of `electron` packages. * Runs a non-standard >secondary setup script instead of including the commands directly in >the PKGBUILD. This makes the package more difficult to review for >malicious content.
@serebit, thank you for work on AUR. However, it is not quite understandable why you are rejecting these requests with only the quoted reasoning in favor of accepting a deletion. Btw I wholly agree with submitter @xiota, these packages are brazenly dangerous. Electron (unnecessarily) has setuid, and with these packages, one will execute untrusted, unverified remote web code, with thousands of pieces of third-party monitoring and advertising and analyzing Javascripts in a local system context. Care to elaborate your rationale behind keeping them? And btw nowadays it's easy to use Chromium or Firefox to add so-called Progressive Web Apps as applets to the desktop. That is the preferred and secure way to create these kinds of desktop-web integrations. That's why the also Electron / NodeJS based Nativefier project, an alternative solution to the one used in this package, has been shut down, because such a solution is hard to make secure, whereas PWA's are as robust as the browser itself. [a] Cheers, looking forward for your kind answer. Marcell / MarsSeed [a]: https://github.com/nativefier/nativefier/
