Will Plexamp ever be updated to an unbroken version of Electron?
1 Like
(PS you do realize there have been over NINETY vulnerabilities in Chromium so far this year, right? Which means there are over NINETY vulnerabilities in Plexamp.)
1 Like
Do you realize that those vulnerabilities are exploited by browsing to bad websites? And Plexamp doesnât do that?
Do you realize that many of those vulnerabilities could easily result in escalation of privilege from any vulnerability within Plexamp? Have you reviewed any of the updates that you havenât bothered to bundle in to see whether they apply to Plexamp? I doubt it.
1 Like
How would that work?
Both other peoplesâ servers and Tidal are untrusted sources of data. In fact, for that matter, even my own library is an untrusted source of data, since the data comes from (in my case) either (a) MusicBrainz or (b) Plexâs unspecified sources. Any untrusted data carries with it the possibility of an exploit. Maybe you have a sanitization issue? Maybe thereâs an issue in the image renderer?
Why am I having to educate you on the very most basic details of how vulnerabilities work? What is Defense in Depth? Defined and Explained | Fortinet
2 Likes
Right? I canât imagine how someone gets to be CTO without some understanding of how exploit chains are (ab)used by attackers. Nor how he doesnât have any employees at his 100+ person company who can explain it to him. Do they just exclusively hire yesmen or something?
Itâs honestly amazing I can tie my shoes most days.
6 Likes
I suspect we can upgrade to Electron 12.2.3 without much effort. Going higher than that has caused issues on Linux, at least, when weâve tried it in the past.
It was not Elan who reported your response as inappropriate.
Stop jumping to conclusions.
There has been enough snark in this thread already. Let it go.
2 Likes
My primary issue is that Plexamp refuses to start due to a crash in the GPU process, unless I either (a) manually start it with --in-process-gpu or (b) patch glibc to disable the clone3 syscall. This is the bug I linked in the OP.
AIUI, other distros (such as Ubuntu) have patched glibc to disable clone3, but I doubt theyâll keep it disabled forever, so at some point Plexamp will need an update in order to function on major distros. My distro (Gentoo) does not have it disabled by default, though thankfully itâs somewhat trivial (once I finally tracked down the Electron bug and found out the issue was the usage of clone3 in glibc) to disable it - hopefully having done so doesnât cause me issues with anything else.
Per the linked bug, the fix âis available in Electron >= 14â. (The fix appears pretty simple and just involves blocking clone3 calls so that glibc falls back another syscall, instead of crashing on the unknown syscall.)
Note that other apps which use Electron (f.e. Discord) already have this update and/or work just fine.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
