Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get rid of old libs and get back into distros' repos #285

Open
37 of 43 tasks
Photon89 opened this issue Jun 16, 2020 · 45 comments
Open
37 of 43 tasks

Get rid of old libs and get back into distros' repos #285

Photon89 opened this issue Jun 16, 2020 · 45 comments
Labels

Comments

@Photon89
Copy link
Member

Photon89 commented Jun 16, 2020

This issue is to get an overview which dependencies should get away for Shutter to be accepted in varions distros' repositories again.

Arch Linux:

  • gnome-perl
  • gnome-vfs-perl
  • gnome-vfs
  • libgnome
  • libgnomeui
  • libbonoboui
  • gconf
  • gnome-mime-data
  • gamin
  • gnomecanvas-perl
  • perl-gnome2-wnck
  • perl-gtk2-imageview
  • perl-gtk2-unique
  • perl-json-maybexs
  • perl-goo-canvas
  • goocanvas1
  • perl-gtk2-appindicator (optional)
  • gnome-web-photo (optional)

Debian

  • libbonobo2-0
  • libbonoboui2-0
  • libgnome2-gconf-perl
  • libgnome2-perl
  • libgnome2-vfs-perl
  • libgnomevfs2-0
  • libgnome2-canvas-perl
  • libgtk2-imageview-perl
  • libgnome2-wnck-perl
  • libgtk2-unique-perl
  • libgoo-canvas-perl
  • libgtk2-appindicator-perl (optional)
  • gnome-web-photo (optional)

Update: I would like to track the status of Shutter being reintroduced into the repos of various distros here. Please comment if you find news on distros which are not listed here yet.

The packaging status for various distros can be tracked here: https://repology.org/project/shutter/versions

@Photon89 Photon89 mentioned this issue Jun 16, 2020
@DarthGandalf
Copy link
Member

perl-json-maybexs

I don't see what's wrong with this one. https://metacpan.org/pod/JSON::MaybeXS is up to date. And I see the package in AUR.

@Photon89
Copy link
Member Author

Photon89 commented Jun 16, 2020

Oh yeah, thanks for the hint, my bad!

edit: No, wait. perl-json-xs is in the official repos (community/) but perl-json-maybexs is in the AUR only, that is, not in the official repos. All Shutter dependencies including the outdated gnome2 libs are available from the AUR but the AUR is not the official repo and Shutter will stick to the AUR as long as it has AUR dependencies. But if perl-json-maybexs is up to date, possibly it can move into community/ as well.

But that's just the Arch Linux perspective, I will try to research about other distros as well.

@Petaris
Copy link

Petaris commented Nov 18, 2020

Hello, Any hope of having a release for Debian stable? I'm really missing having Shutter, none of the other solutions really have the same capabilities. Thanks for your work on this!

@Petaris
Copy link

Petaris commented Apr 12, 2021

Hello, has there been any progress on removing/replacing the problem dependencies? I am willing to help test any builds that need testing on Debian stable.

@Photon89
Copy link
Member Author

Please have a look at this PR to track the current progress: #284

@Photon89
Copy link
Member Author

@DarthGandalf What is the status regarding the outdated dependencies after the GTK3 merge? As far as I can see, everything is gone besides of gnome-web-photo? Or is perl-gnome2-wnck still in?

For gnome-web-photo (which actually renders websites in a rather simplistic way, so they look quite different from what you see if you open the site in a modern browser) maybe wkhtmltoimage is a good replacement: https://wkhtmltopdf.org/ It's also not perfect but quite usable, I think.

@DarthGandalf
Copy link
Member

gnome-web-photo

I never even used that functionality, and with gnome-web-photo not available for my distro anymore, I cannot test and see.

maybe wkhtmltoimage is a good replacement

Perhaps.

perl-gnome2-wnck still in?

No, replaced by Wnck-3.0 via Glib::Object::Introspection

@DarthGandalf
Copy link
Member

From https://wkhtmltopdf.org/status.html

Recommendations
Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS, otherwise it can lead to complete takeover of the server it is running on! Please consider using a Mandatory Access Control system like AppArmor or SELinux, see recommended AppArmor policy.

I'd prefer to not create a security hole in shutter.

@Photon89
Copy link
Member Author

I also never use the web capture feature, actually. gnome-web-photo is present in the AUR but takes a hell lot of time to compile. I have it installed on one of my machines and tested the web capture at some point.

I'd prefer to not create a security hole in shutter.

I see. So maybe just remove the web capture feature completely then? I think, gnome-web-photo isn't available in most of the distros out there as it is unmaintained for quite a long time.

No, replaced by Wnck-3.0 via Glib::Object::Introspection

Great, then I guess, this bug can be closed with the next release! Do you think, a release can be done soon? Besides of the slightly ugly scaling in gtk3-imageview I haven't stumbled upon any problems so far (been using the -git version since you merged the GTK3 PR.

@DarthGandalf
Copy link
Member

So maybe just remove the web capture feature completely then?

If someone wishes to go through troubles of installing gnome-web-photo, I think it's fine to leave it there.

Do you think, a release can be done soon?

Let's do it

@Photon89
Copy link
Member Author

Shall we schedule a Jitsi meeting like the last time? Next weekend would be perfect for me!

@Photon89
Copy link
Member Author

Photon89 commented May 16, 2021

I'd prefer to not create a security hole in shutter.

Actually, thinking about it again, I'm wondering if gnome-web-photo is more secure than wkhtmltoimage or any other similar library. gnome-web-photo uses webkitgtk which also has a long list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-11350/Webkitgtk.html Maybe making screenshots of webpages is just an inherently insecure operation, no matter the library used for it, and the guys from wkhtmltoimage are just the most honest and cautious about it? 😃

@DarthGandalf
Copy link
Member

That is possible, sure

@DarthGandalf
Copy link
Member

Something like selenium is probably the best option there, since it runs an actual browser

@Photon89
Copy link
Member Author

Since all the outdated dependencies are gone with 0.96, I have requested Shutter to be included into the official Arch Linux repos: https://bbs.archlinux.org/viewtopic.php?id=266597 I'm excited to see how this goes! What are our options to contact other big distros' package maintainers?

@Petaris
Copy link

Petaris commented Jun 2, 2021

Does anyone know if it has been submitted to Debian yet?

@Photon89
Copy link
Member Author

Photon89 commented Jun 2, 2021

Not yet, 0.96 has some bugs, some of which have already been fixed, but not all of them. I think, it is better to wait, till a mostly bug free version is out, before approaching package maintainers.

@Petaris
Copy link

Petaris commented Jun 2, 2021

Ok, good to know. I have been missing Shutter since I moved from CentOS 7.x to Debian 10.8

@Photon89
Copy link
Member Author

Photon89 commented Jun 2, 2021

Shutter itself is quite easy to "install" without any package management, just download it and run bin/shutter. However, you would have to get the dependencies somehow, not sure how many of them are missing in Debian's repo. As far as I understand, you can use PPAs in Debian: https://vitux.com/how-to-add-ppa-repositories-in-debian/ In this case, it might be possible to use the Ubuntu PPA by linuxuprising: https://www.linuxuprising.com/2018/10/shutter-removed-from-ubuntu-1810-and.html

@Photon89
Copy link
Member Author

Shutter has just been moved to the official Arch repos thanks to @muflone. Also, since version 0.97 has fixed most of the regressions from 0.96, I think, we can start approaching other distros' packagers to get Shutter back into their repos.

@kdemeoz
Copy link

kdemeoz commented Jun 28, 2021

Congratulations on successfully fighting the good fight & getting Shutter back into the main Arch repos instead of AUR. Nice work [& thanks]!

@Mpc46
Copy link

Mpc46 commented Jul 20, 2021

Better pack all into a snap, so it works well everytime, and if there are issues like with the 97 release, we can go back to a version that works on our weird system set up 🦖

@Photon89
Copy link
Member Author

As far as I know, no team member has experience with snap packaging and also no time resources to learn how to deal with snaps. There is an outdated snap here but it hasn't been updated in a while: https://github.com/popey/shutter-snap Contribution to snap packaging is always welcome though!

@kfeoktistoff
Copy link

What a great achievement!
Is there a plan to update the official ppa?

@Photon89
Copy link
Member Author

Photon89 commented Jul 20, 2021

Unfortunately, none of the current team members is familiar with deb packaging. But there is an unofficial PPA by @logix2 which seems to work very well: https://launchpad.net/~linuxuprising/+archive/ubuntu/ppa

@DarthGandalf
Copy link
Member

However, that PPA says:

This is the official Shutter repository - it is recommended to use this to keep your Shutter easily updated.

Maybe linuxuprising package can be somehow imported to it?

@Photon89
Copy link
Member Author

Photon89 commented Aug 7, 2021

As far as I understand, @logix2 prefers to keep it separate (correct me, if I'm wrong). But we could at least delete the official PPA so it won't confuse people any more and the linuxuprising PPA would be the only one to choose from.

@logix2
Copy link

logix2 commented Aug 9, 2021

@Photon89 I can maintain your PPA if you want, I don't mind. You need to add me as a team member on Launchpad and then I have access to the PPA if that's what you like. Or I can continue to maintain my PPA. As you wish...

@Photon89
Copy link
Member Author

Photon89 commented Aug 9, 2021

@logix2 That would be great, thanks! I added you to the Shutter team on Launchpad, may we also add you here on Github?

@logix2
Copy link

logix2 commented Aug 10, 2021

@Photon89 Thank you! No need to add me here, I'll just upload the packages to the PPA. I guess I'll start updating the PPA then.

@Photon89
Copy link
Member Author

@logix2 Thanks, just drop a comment when it is done, so we can update the website accordingly!

@logix2
Copy link

logix2 commented Aug 10, 2021

@Photon89 I have updated the PPA with Shutter 0.98 for Ubuntu 20.04 (LTS) and 21.04 (current regular release). Users may optionally install gnome-web-photo too from the PPA in order to take website screenshots - I mentioned that in the PPA description. Feel free to modify the PPA description in any way, I just thought I'd add a bit of extra info in there.

@Photon89
Copy link
Member Author

Great, thanks! I think, the information in the PPA description sounds pretty good. The information regarding the revival of the official PPA is now on the website.

@logix2
Copy link

logix2 commented Aug 10, 2021

Thank you! I also posted about that: https://www.linuxuprising.com/2021/08/official-shutter-screenshot-tool.html

@Photon89
Copy link
Member Author

Shutter just entered Debian unstable and will enter testing soon!

https://packages.debian.org/sid/shutter

@Photon89
Copy link
Member Author

Aaand also in Ubuntu 22.04 as I just realized: https://packages.ubuntu.com/jammy/shutter

@Photon89
Copy link
Member Author

Photon89 commented Mar 3, 2022

Mageia picked up Shutter's latest version in its development release Cauldron a few months ago already: https://madb.mageia.org/rpm/show/release/cauldron/arch/x86_64/name/shutter-0.99.2-1.mga9.noarch.rpm/source/0/t_media/3

@search5
Copy link

search5 commented Mar 4, 2022

Shutter just entered Debian unstable and will enter testing soon!

https://packages.debian.org/sid/shutter

Shutter went into a testing version. If there are no other issues, it looks like it will be serviced as an official package in Debian 12 (Bookworm), which is expected to be released next year.

@Photon89
Copy link
Member Author

Photon89 commented Mar 4, 2022

I updated the overview in the original report, thanks!

@Jackenmen
Copy link

Aaand also in Ubuntu 22.04 as I just realized: packages.ubuntu.com/jammy/shutter

Ubuntu's official repositories do not provide the gnome-web-photo package so not whole functionality is available when installing this way (and I can't really find a repository that would have this package available). Not that there's currently a different way available on 22.04 since the PPA does not (yet?) have Shutter distribution for jammy available.

@Photon89
Copy link
Member Author

Well, I'm pretty sure, it won't enter the official repositories any time soon because the last time it has been updated (I mean, code updates, not just translations and stuff like that) was over ten years ago. I think, the only option here, would be to ask @logix2 to make a 22.04 PPA which would ship gnome-web-photo specifically.

@DarthGandalf
Copy link
Member

I think, the only option here, would be to ask

Another option is to drop this support from shutter. Because in 10 years it likely has some vulnerabilities now.

See the discussion about it above

@Photon89
Copy link
Member Author

That's also true. It doesn't produce that accurate renderings anyway, as far as I remember. I can upload some examples, if anybody is interested.

@vadi2
Copy link
Contributor

vadi2 commented Apr 23, 2022

I agree it would be a worthwhile trade to make.

@Photon89
Copy link
Member Author

Photon89 commented Apr 23, 2022

I just found a possible alternative, weasyprint. wkhtmltopdf's (which we discussed above) maintainer suggests using it because, unlike wkhtmltopdf, it relies on up to date libraries. Also, there is a detailed text regarding the security risks: https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#security It sounds quite acceptable to me but I'm not a security expert, obviously.

edit: It looks like the security risks text specifically targets the Python library, not the CLI variant. But I assume that the CLI variant is not that different, possibly even more secure because it allows less, potentially unsafe, options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

10 participants