Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jellyfin_10_5: remove unmaintained version #120520

Merged
merged 1 commit into from Apr 26, 2021
Merged

jellyfin_10_5: remove unmaintained version #120520

merged 1 commit into from Apr 26, 2021

Conversation

minijackson
Copy link
Member

@minijackson minijackson commented Apr 24, 2021
edited by dotlambda

Motivation for this change

This version contains a vulnerability, and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

Original decision was on #93654, and in retrospect was a mistake, sorry about that.

This PR will be backported if there is no concerns from other maintainers, cc @nyanloutre, @purcell

This is a follow-up on the discussion that started on #120344.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@minijackson minijackson mentioned this pull request Apr 24, 2021
Closed
10 tasks
purcell
purcell approved these changes Apr 25, 2021
View reviewed changes
Copy link
Member

@purcell purcell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a good plan to me.

@purcell purcell mentioned this pull request Apr 25, 2021
Merged
10 tasks
@dotlambda
Copy link
Member

This also should fix #120389, and should partially fix #120388 + #120387 once backported.

This fixes #120387, not the others.

@dotlambda dotlambda linked an issue Apr 25, 2021 that may be closed by this pull request
Vulnerability roundup 101: jellyfin-10.5.5: 1 advisory [6.5] #120387
Closed
1 task
@dotlambda dotlambda added 9.needs: port to stable A PR needs a backport to the stable release. 1.severity: security labels Apr 25, 2021
@minijackson
jellyfin_10_5: remove unmaintained version
2ad8aa7 
This version contains a vulnerability[1], and isn't maintained. The
original reason to have two jellyfin versions was to allow end-users to
backup the database before the layout was upgraded, but these backups
should be done periodically.

[1]: <https://nvd.nist.gov/vuln/detail/CVE-2021-21402>
@dotlambda
Copy link
Member

Do we need a changelog entry?

@minijackson
Copy link
Member Author

It feels a bit weird to add it to the release notes, since it's going to be backported to 20.09

@dotlambda
Copy link
Member

It feels a bit weird to add it to the release notes, since it's going to be backported to 20.09

Then I would say we only backport the removal of the package, not the change of the module.
So you need to split the commit in two.
And for 21.05 (i.e. in master) we can get rid of the stateVersion thing but add a changelog entry.

@minijackson
Copy link
Member Author

That would mean it would break the config of anyone using Jellyfin and having a stateVersion < 20.09, which would be a shame considering the upgrade should go fine without intervention

@dotlambda
Copy link
Member

which would be a shame considering the upgrade should go fine without intervention

Oh if there's no breaking change in Jellyfin, then this is fine. I just thought a breaking change was why jellyfin_10_5 was created in the first place.

@minijackson
Copy link
Member Author

This was not really a breaking change, but more of a warning upstream that the database schema would be auto-migrated

@dotlambda dotlambda merged commit e22d76f into NixOS:master Apr 26, 2021
@dotlambda
Copy link
Member

@minijackson Will you make a PR for the backport?

@minijackson
Copy link
Member Author

on it

@minijackson minijackson mentioned this pull request Apr 26, 2021
Merged
10 tasks
@minijackson minijackson deleted the jellyfin-remove-10.5 branch April 26, 2021 18:22
@TredwellGit TredwellGit added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 left review comments

@purcell purcell purcell approved these changes

@dotlambda dotlambda dotlambda approved these changes

Assignees
No one assigned
Labels
1.severity: security 6.topic: nixos 8.has: clean-up 8.has: module (update) 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 101: jellyfin-10.5.5: 1 advisory [6.5]
5 participants
@minijackson @dotlambda @purcell @SuperSandro2000 @TredwellGit