Nixpkgs: zed: very ancient version of nwjs
zed uses the binary release of nwjs 0.9 (at this time still called node_webkit), while the newest version is 0.29.
As this is basically a Chromium binary that can execute arbitrary Javascript and deliberately breaks all sandboxing features, we should at least keep it on a current version.
cc @Ma27
I’m pushing an update of nwjs to 0.26 at the moment, but the zed package can’t handle it, so I’m pinning to 0.9 for the time being.
https://github.com/NixOS/nixpkgs/pull/27882
Profpatsch
All 6 comments
Hi @Profpatsch!
Thanks a lot for working on this. It's been a while ago since I worked on this part of nixpkgs, but I slightly remember that I had to deal with several outdated versions when dealing with zed.
I'll definitely have a look into this in the next days, hopefully there's a patch by some contributors (or it's easy to file one to fix this).
However the project isn't too active, so at least when we suffer from more further breaks or security issues because of severely outdated dependencies, we shouldn't hesitate to mark this package as broken or even drop it entirely (unless there are folks heavily relying on this).
Ma27
on 19 Mar 2018
I’d be in favor of a drop; people will complain if they still use it, if that happens we can restore & update, or the package is pulled outside of nixpkgs until someone can push and maintain a recent update.
Profpatsch
on 19 Mar 2018
I’d be in favor of a drop; people will complain if they still use it, if that happens we can restore & update, or the package is pulled outside of nixpkgs until someone can push and maintain a recent update.
In fact I agree with you, I've observed this "restore & update" pattern with some bigger applications (especially web-services) and I think that this is unneeded extra-work for the nixpkgs maintainers and release managers before each release.
Before I file a patch to either {drop it,mark it as broken} or fix the dependency issue, I'd like to check two things before:
- is there any active fork? I'd like to ensure that the project is actually dead/unresponsive or does it have a working/maintained fork?
- check in the IRC if there are active
zedusers (I don't use it, I just fixed the derivation to help @svanderburg to get rid ofnpm2nix). If there are any, we should ask them to take over maintenance (or ask them to create their own overlay)
I'll try to have a deeper look into it tonight, when I know more and have an actual opinion on how to proceed, I'll leave a comment here.
Ma27
on 19 Mar 2018
As far as I know, the author is no longer actively developing Zed anymore:
https://zef.me/how-to-abandon-open-source-d5ebbc6e45e5
I happen to know him personally, but as far as I know he has no interests
in doing any major additional developments any time soon. Of course, I can
always ask but I think I already know the answer. :)
For me it's fine if it gets removed.
On Mon, Mar 19, 2018 at 3:38 PM Maximilian Bosch notifications@github.com
wrote:
I’d be in favor of a drop; people will complain if they still use it, if
that happens we can restore & update, or the package is pulled outside of
nixpkgs until someone can push and maintain a recent update.In fact I agree with you, I've observed this "restore & update" pattern
with some bigger applications (especially web-services) and I think that
this is unneeded extra-work for the nixpkgs maintainers and release
managers before each release.Before I file a patch to either {drop it,mark it as broken} or fix the
dependency issue, I'd like to check two things before:
- is there any active fork? I'd like to ensure that the project is
actually dead/unresponsive or does it have a working/maintained fork?- check in the IRC if there are active zed users (I don't use it, I
just fixed the derivation to help @svanderburg
https://github.com/svanderburg to get rid of npm2nix). If there are
any, we should ask them to take over maintenance (or ask them to create
their own overlay)I'll try to have a deeper look into it tonight, when I know more and have
an actual opinion on how to proceed, I'll leave a comment here.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/37361#issuecomment-374234623,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABGY96uSvYuHr5WTCrtYoWOTgDWQ8zVPks5tf8LMgaJpZM4Svsfb
.
svanderburg
on 19 Mar 2018
ok I suspected something like this as the last commit was from 2015. In this case I'm also :+1: for dropping it...
Ma27
on 19 Mar 2018
just submitted a PR for now, I asked in the IRC if there are any folks using zed, if I don't get a response, I'd just vote for merging it to master and do a backport to 18.03
Ma27
on 19 Mar 2018
Related issues
timokau
·
66Comments
Infinisil
·
146Comments
nh2
·
76Comments
thoughtpolice
·
71Comments
grahamc
·
77Comments
Most helpful comment
As far as I know, the author is no longer actively developing Zed anymore:
https://zef.me/how-to-abandon-open-source-d5ebbc6e45e5
I happen to know him personally, but as far as I know he has no interests
in doing any major additional developments any time soon. Of course, I can
always ask but I think I already know the answer. :)
For me it's fine if it gets removed.
On Mon, Mar 19, 2018 at 3:38 PM Maximilian Bosch notifications@github.com
wrote: