[PRQ#52584] Deletion Request for tailscaledesktop
A security issue exists whenever you receive code from an untrusted
xiota [1] filed a deletion request for tailscaledesktop [2]: This package should be deleted because it compromises the security of the systems on which it is installed. This package uses Electron as a web browser to navigate a streaming media website. Electron is *not* a web browser. Although it uses the same rendering engine as Chromium, it is not Chromium, and it does not have the same security features Chromium does. On the contrary, Electron intentionally has reduced security because it is intended for desktop apps, not web browsing. At [Security](https://www.electronjs.org/docs/latest/tutorial/security), Electron developers state: source (e.g. a remote server) and execute it locally. As an example, consider a remote website being displayed inside a default BrowserWindow. If an attacker somehow manages to change said content (either by attacking the source directly, or by sitting between your app and the actual destination), they will be able to execute native code on the user's machine. This apps does what Electron devs describe avoiding: ``` const mainWindow = new BrowserWindow(...) ... mainWindow.loadURL('https://...') ``` Further, this package is named in a way that some users may think it is an official package, which it is not. [1] https://aur.archlinux.org/account/xiota/ [2] https://aur.archlinux.org/pkgbase/tailscaledesktop/
Request #52584 has been Rejected by serebit [1]: This package should be deleted because it compromises the security of the systems on which it is installed. This package is a customized electron build that the maintainer uses for his personal projects, which use Electron as a web browser to navigate some streaming media websites. It essentially duplicates the functionality of the `electron` packages, but with incorrect naming and unknown modifications. In addition to creating a man-in-the-middle scenario, this package compromises the security of its users by disregarding upstream security recommendations. Notably, Electron is *not* a web browser. Although it uses the same rendering engine as Chromium, it is not Chromium, and it does not have the same security features Chromium does. On the contrary, Electron intentionally has reduced security because it is intended for desktop apps, not web browsing. At [Security](https://www.electronjs.org/docs/latest/tutorial/security), Electron developers state: > A security issue exists whenever you receive code from an untrusted source (e.g. a remote server) and execute it locally. As an example, consider a remote website being displayed inside a default BrowserWindow. If an attacker somehow manages to change said content (either by attacking the source directly, or by sitting between your app and the actual destination), they will be able to execute native code on the user's machine. The maintainer's apps that use this package do what Electron devs describe avoiding: ``` const mainWindow = new BrowserWindow(...) ... mainWindow.loadURL('https://...') ``` This package also has multiple packaging defects that the maintainer is resistant to fixing. Even if they were fixed, the security implications described above would remain. * Does not guard path variables with quotes. Paths may contain spaces, which would not only break the script, but could damage users' systems. * Uses pkgrel in download link. Link will break when pkgrel is bumped. * Potentially missing provides/conflicts, since this is duplicating function of `electron` packages. * Runs a non-standard secondary setup script instead of including the commands directly in the PKGBUILD. This makes the package more difficult to review for malicious content. [1] https://aur.archlinux.org/account/serebit/
participants (1)
-
notify@aur.archlinux.org