Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.03] chromium,google-chrome: Mark as insecure #110953

Closed
wants to merge 1 commit into from
Closed

[20.03] chromium,google-chrome: Mark as insecure #110953

wants to merge 1 commit into from

Conversation

primeos
Copy link
Member

@primeos primeos commented Jan 27, 2021

Since web browsers are especially security critical we should mark them
as insecure so that users are aware of the risks.

Motivation for this change

Like #88368 but for NixOS 20.09 (a bit delayed this time because the first Chromium update since 20.09 reached its EOL didn't contain any security fixes and then I forgot about it).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@primeos
chromium,google-chrome: Mark as insecure
cf42477 
Since web browsers are especially security critical we should mark them
as insecure so that users are aware of the risks.
@worldofpeace
Copy link
Contributor

I feel inclined to close this for the same reason as I closed #110943. 20.03 is EOL #101975, do we really need to go through every package and say how it's vulnerable?

@primeos
Copy link
Member Author

primeos commented Jan 28, 2021

do we really need to go through every package and say how it's vulnerable?

No, definitely not, but as I stated in the commit message I consider web browsers a special high-risk case (and some users might forget to update their channel, etc.). An alternative would be if we could properly mark the EOL channels or every package in them as potentially insecure.

Anyway, as I recall it we used to backport fixes for major vulnerabilities for a bit longer than one month but if #110943 was closed then we can close this PR too.

@primeos primeos closed this Jan 28, 2021
@danieldk
Copy link
Contributor

Maybe we could add a message to EOLed releases (with trace), so that the user is informed that the release contains known vulnerabilities every time they evaluate nixpkgs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
1.severity: security 6.topic: nixos 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@primeos @worldofpeace @danieldk