[PRQ#52582] Deletion Request for snapchat
A security issue exists whenever you receive code from an untrusted
xiota [1] filed a deletion request for snapchat [2]: This package should be deleted because it compromises the security of the systems on which it is installed. This package uses Electron as a web browser to navigate a streaming media website. Electron is *not* a web browser. Although it uses the same rendering engine as Chromium, it is not Chromium, and it does not have the same security features Chromium does. On the contrary, Electron intentionally has reduced security because it is intended for desktop apps, not web browsing. At [Security](https://www.electronjs.org/docs/latest/tutorial/security), Electron developers state: source (e.g. a remote server) and execute it locally. As an example, consider a remote website being displayed inside a default BrowserWindow. If an attacker somehow manages to change said content (either by attacking the source directly, or by sitting between your app and the actual destination), they will be able to execute native code on the user's machine. This apps does what Electron devs describe avoiding: ``` const mainWindow = new BrowserWindow(...) ... mainWindow.loadURL('https://...') ``` Further, this package is named in a way that some users may think it is an official package, which it is not. [1] https://aur.archlinux.org/account/xiota/ [2] https://aur.archlinux.org/pkgbase/snapchat/
Request #52582 has been Rejected by serebit [1]: This package should be deleted because it compromises the security of the systems on which it is installed. This package uses Electron as a web browser to navigate a streaming media website. Electron is *not* a web browser. Although it uses the same rendering engine as Chromium, it is not Chromium, and it does not have the same security features Chromium does. On the contrary, Electron intentionally has reduced security because it is intended for desktop apps, not web browsing. At [Security](https://www.electronjs.org/docs/latest/tutorial/security), Electron developers state: > A security issue exists whenever you receive code from an untrusted source (e.g. a remote server) and execute it locally. As an example, consider a remote website being displayed inside a default BrowserWindow. If an attacker somehow manages to change said content (either by attacking the source directly, or by sitting between your app and the actual destination), they will be able to execute native code on the user's machine. This apps does what Electron devs describe avoiding: ``` const mainWindow = new BrowserWindow(...) ... mainWindow.loadURL('https://...') ``` Further, this package is named in a way that some users may think it is an official package, which it is not. [1] https://aur.archlinux.org/account/serebit/
participants (1)
-
notify@aur.archlinux.org