Package eight months out of date #8
Comments
|
FWIW it looks like CVE-2020-11054 (a low-severity security issue in qutebrowser) isn't fixed in this package either: Reloading page with certificate errors shows a green URL · Advisory · qutebrowser/qutebrowser |
|
The package is now fourteen months out of date. This is completely inexcusable for a web browser. Update the package or remove it from flathub. |
|
@ykgmfq @torsava Sorry to have to tag you here, but I'm guessing a lot of flatpak users use qutebrowser so having it this outdated it quite bad. ysiraichi has made a pull request which builds, so besides taking a quick look at his commits and confirming them I don't think this would take a lot of time. I don't want to rush you but since browsers are such a major and powerful part of the OS, it's quite important to update them imo. |
|
@erazemkokot Hi, I sadly don't have write/merge access to this repo. To be perfectly frank, I don't even remember contributing to this repo (apparently in 2017). I think we'll need to wait for @ykgmfq, or for somebody to fork it. |
|
@The-Compiler could you fork this and make flatpak an official distribution channel for Qutebrowser? Calling a dependency on org.freedesktop.Platform.ffmpeg would solve the patented codecs problem a lot of prebuilt Qutebowser options have. |
|
No, sorry. I don't have the capacity to maintain packages in ecosystems I've never really used myself (I already do that with macOS, barely). If someone steps up as a maintainer I'll happily adjust the install instructions, though. |
|
@torsava How would forking work? Don't the packages need to be accepted by the Flathub team anyway in which case can't they give someone else permission to accept pull requests and such? Edit: According to their App Submission wiki we can contact the Flathub admins, but someone would have to volunteer to maintain the package. |
@erazemkokot I can't speak for the Flathub team, but I think they must have some non-responsive maintainer policy. If you fork it, make it work, and show that the maintainer here has not responded in a long time, they might transfer you the ownership, or work with you in some manner. That's how it usually works in other projects. EDIT:
Yeah, that sounds about right. |
|
Can we get a Flathub admin to forcibly fix the ownership problem of this repo? This is ridiculous. |
Try mailing admins@flathub.org and ask them to remove qutebrowser from flathub until the flatpak is updated. |
|
FYI, I've now contacted them: Hi, I'm the upstream of qutebrowser: https://www.qutebrowser.org/ The org.qutebrowser.qutebrowser Flatpak is based on the v1.7.0 release Pull requests updating qutebrowser have never been merged: There were 19 newer releases since then. The v1.7.0 Flatpak contains Based on the bug reports I am getting, people are still using the Given that this has been reported in July 2020 (and first update PR Thanks, |
You can End-Of-Life the application by following the guidelines on the wiki https://github.com/flathub/flathub/wiki/App-Maintenance#end-of-life. Is there anything else we can help with? |
|
Hi @The-Compiler - it seems like you already have access to merge the PR, and/or to push the EOL metadata that @bilelmoussaoui suggests. Whilst the EOL to some extent hides the app and discourages new downloads, it doesn't necessarily prevent existing users from continuing to access the app on their system, so if some of the contributors on this thread can confirm it seems to work, merging the PR before adding the EOL marker might make sense. If nobody on this ticket is interested in maintenance of the Flatpak, have you considered reaching out on the Flathub Forum to see if anybody there is interested? |
|
Thanks for the quick answer! Oh, I didn't realize I had access to this repository myself. 😊 To be honest I have no idea why. However, I've never used Flatpak, so I don't feel comfortable with taking things into my own hands. Perhaps someone here or @ykgmfq @wkugh @ysiraichi @tinywrkb would be interested in taking over? I'm apparently not able to change repository settings, but I assume if someone steps up who'd like to continue maintaining this, the Flatpak admins could then add them to the repository? Given that I have push rights myself, I assume there's no formal criteria making something a packager then? |
|
Right - there is some basic volunteer review for basic quality standards when things go in, but ultimately our philosophy is that Flathub should be led by the upstream developer/publisher as our goal is dis-intermediating between developer and user. So, if you want to add contributors you can request that with a ticket on https://github.com/flathub/flathub/issues/ |
|
@The-Compiler I don't use qutebrowser but I looked into maintaining it as it's a pretty neat project but to tell you the truth, every update feels like going down the rabbit hole. I sent a PR to update qutebrowser #10 but I would really like to have another maintainer helping. |
|
There's a test build here with the recent release, it would be nice if a user can test that everything is working as it should.
|
Works fine here. Tip for users - to install dictionaries: flatpak run --command=/app/share/qutebrowser/scripts/dictcli.py org.qutebrowser.qutebrowser install en-GB ru-RU |
|
@akhilman thanks for testing. I pushed another commit adding adblock support by reusing the binary release of python-adblock. |
|
Test build with the python-adblock module, though currently adblock is enabled only x86_64 as this uses the binary release.
|
|
Adblock works well. Thank you for the package. |
|
@akhilman thanks for the feedback. |
|
@The-Compiler Would you like a Flathub person to review @tinywrkb's PR, or would you consider giving them access to the repo? It would be good to work out if you or someone from the Qutebrowser upstream can stay in the loop on the updates. |
|
Thanks everyone (and especially @tinywrkb!) for getting things updated!
I'd happily give @tinywrkb access to the repository! (Ah, looking at #10 that already seems to be the case?)
I'm afraid I don't have any personal interest in Flatpak (for qutebrowser users, a simpler alternative achieving roughly the same goal is available), and I don't have the capacity to take care of packaging for ecosystems I don't use. Sorry! |
update please
The text was updated successfully, but these errors were encountered: