What options do I have besides switching to another client?
Package it yourself as part of your NixOS config, which would effectively make you the maintainer of said package (and youâd be responsible for updating it and fixing breakages with it).
jchw
November 5, 2024, 12:49pm
3
Personally my recommendation in situations like these is to look for another avenue. In this case, it looks like Betterbird is available via Flatpak. You can set up Flatpak via your NixOS configuration then use it normally.
If you want to declaratively install Flatpak applications, there is nix-flatpak. See the project page and discussion .
Of course, this has a number of trade-offs and might not be the right choice for you. If you would prefer lifting the derivation into your configuration instead, we can probably help you figure that out. However, if itâs much like the Firefox build process, without the benefit of Hydra caching, this will probably not be a great experience.
If the developers provide an executable binary, you can create a Nix package for that. Youâd likely need to use autoPatchelfHook
(or buildFHSEnv
) to get it to run, but the build would be much faster than trying to build such a large application from source.
Sandro
November 5, 2024, 2:25pm
5
NixOS:master
â emilazy:push-tsoprlpqurnt
opened 03:47PM - 25 Oct 24 UTC
This package is currently on a version from August 5. There have since been four⌠further Betterbird releases in the 115 series, two of which were to update to upstream Thunderbird versions with CVEs assigned. By the time the PR updating the package to its current version was merged, it was already two Betterbird releases out of date.
A potential counterargument to the severity of this is that, as explained on the Thunderbird security advisories page, many vulnerabilities in Firefox are not practically exploitable in Thunderbird due to the lack of untrusted JavaScript execution in mail content. However, this is overly simplistic: there are circumstances in which Thunderbird opens lessâthanâfullyâtrusted web content, such as to authenticate to email and chat accounts, and there are other potential avenues of exploitation like image decoders.
The maintenance state of this package on the stable branch has been worse than on unstable. 24.05 is currently on 115.9.0, a version vulnerable to the recent [arbitrary JavaScript injection bug in PDF.js](https://nvd.nist.gov/vuln/detail/CVE-2024-4367). This is a serious issue by itself, but also means that users are exposed to the other JavaScriptârelated vulnerabilities present in this version even in the course of normal email reading, closing the gap between Firefox security issues and Thunderbird ones. The first Betterbird version with the fix for this bug was released on May 13, over two weeks before the 24.05 release. Users of 24.05 have had the same vulnerable version of Betterbird for its entire release cycle.
Thatâs not a oneâoff event; 23.11 would have remained on 115.4.2, a version vulnerable to multiple highâseverity Thunderbirdâspecific email encryption bugs as outlined in [MFSA 2023-55](https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/) and [MFSA 2024-11](https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/), if a member of the security team had not backported a version bump in https://github.com/NixOS/nixpkgs/pull/300477. That backport was merged untested, a month after the fix was merged into the unstable branch, as Sandro was not able to test the backport on stable NixOS. At the time it was merged, 23.11 had been on the same version for 5 months, despite there having been between 9 and 13 subsequent Betterbird releases depending on how you count.
These issues have been raised in the past, including by users. In June 2023, https://github.com/NixOS/nixpkgs/issues/239531 was opened, pointing out that the package had been outdated for a while. I commented on the resulting PR, https://github.com/NixOS/nixpkgs/pull/241560, to ask for confirmation that Sandro would try to keep the package up to date in all supported branches in the future, which he affirmed that he would do. Unfortunately, this has not been the case; in https://github.com/NixOS/nixpkgs/issues/251427 from August 2023, a user points out the problematic chronic nature of the packageâs version lag (âSadly the package is repeatedly out of date. I would really like to switch to betterbird but as it's internet-facing, timely updates should be ensured.â). That was before the issues with the vulnerable versions in 23.11 and 24.05. When https://github.com/NixOS/nixpkgs/issues/323169 was opened on June 28, the package was four Betterbird releases out of date and vulnerable to the PDF.js bug that had been disclosed a month and a half earlier; rather than this serious security issue being promptly addressed, the reporting user was asked to open a version bump PR but did not have the knowâhow to do so. That was finally addressed by the most recent version bump PR, opened over two months later on September 2 and merged over two weeks after that (after there had already been more upstream releases, as noted earlier). When https://github.com/NixOS/nixpkgs/pull/344071 was opened in September 23 to fix an ICUârelated issue without a version bump, the package was a Betterbird release behind, with three CVEs already marked as applying to the version. Thatâs the version weâre still on today, after several more releases and six more CVEs.
I conclude that we should not ship this package in 24.11: it is practically guaranteed to remain on a knownâinsecure version in the stable branch for an extended period of time and there does not seem to be any real effort to change this state of affairs. Given that even the version on `master` has been out of date for almost two months and reliably lags behind upstream security updates, and the commitments for security maintenance have not been met for more than a year, I think that itâs clear that we donât have enough resources to sustain this package and that the situation is unlikely to improve sufficiently to meet our expected standard of maintenance of a downstream fork of Mozilla software that bundles an entire browser engine. Carrying this regularlyâoutdated package poses real risks to users and does a disservice both to them and the reputation of the Betterbird upstream. If there is demand for an outdated Betterbird package, it would be better for it to be maintained and cached outâofâtree, so that we donât give the impression that the NixOS project can support this software and keep its users safe.
<!--
^ Please summarise the changes you have done and explain why they are necessary here ^
For package updates please link to a changelog or describe changes, this helps your fellow maintainers discover breaking updates.
For new packages please briefly describe the package or provide a link to its homepage.
-->
## Things done
- Built on platform(s)
- [ ] x86_64-linux
- [ ] aarch64-linux
- [ ] x86_64-darwin
- [ ] aarch64-darwin
- For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html))
- [ ] `sandbox = relaxed`
- [ ] `sandbox = true`
- [ ] Tested, as applicable:
- [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
- or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
- made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
- [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
<!--
To help with the large amounts of pull requests, we would appreciate your
reviews of other pull requests, especially simple package updates. Just leave a
comment describing what you have tested in the relevant package/service.
Reviewing helps to reduce the average time-to-merge for everyone.
Thanks a lot if you do!
List of open PRs: https://github.com/NixOS/nixpkgs/pulls
Reviewing guidelines: https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#reviewing-contributions
-->
---
Add a :+1: [reaction] to [pull requests you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc
Error: betterbird ⌠removed ⌠insufficient maintainers
That is only half the story. People put pressure on me to both support stable (I have no graphical system on stable) and unstable. Building betterbird even on good hardware, usually takes like 20 minutes and when it fails at the linking stage it is a bit annoying and can take a few tries to update. I usually did it on weekends when I usually have a lot of time but sometimes it feel through. Also I sometimes get the feeling that people get overzealous about packages other maintainers packages when they lack the security updates late.
If someone wants to help me maintain it, I think we could bring it back especially if people have the need for it.
3 Likes
Thanks for the suggestion. I feel like if Iâm going to go that route, I might as well just switch to blendos or use distrobox.
I appreciate all of the maintainers but that just isnât me anymore. I used to run gentoo on everything a decade ago but I guess Iâm too old for this $#!+âŚ?
jchw
November 7, 2024, 1:54pm
8
I donât think itâs so dire to be honest. I use Flatpak apps on all of my NixOS machines (mainly The GIMP nightly releases.) It does have some potential caveats but in my experience it is a perfectly reasonable escape hatch.
Of course, itâs all up to you. Distrobox and blendOS are also perfectly fine choices if you think those would fit your needs better.