Backport recent security fixes to 2023.03 or to Elixir 1.13.4 #556

New issue

Closed

opened 2023-05-30 12:39:37 +00:00 by SuperDicq · 5 comments

SuperDicq commented 2023-05-30 12:39:37 +00:00

Copy link

I've heard from multiple admins (Myself, @a1ba@suya.place and @rosey@neko.computer) that Elixir 1.14 is causing unneeded headaches because this version is still not available in the official Erlang Solutions repository.

A solution to this is to make sure Akkoma runs on 1.13.4, alternatively the security fix can be backported to release 2023.03, which is the last version that still runs on a Elixir version available in the official repository.

If this is not possible and we want to make the asdf version manager the only supported version manager for Akkoma the docs should reflect probably that.

The Soapbox installation guide explains how to use asdf quite well as an example: https://soapbox.pub/install/

I've heard from multiple admins (Myself, @a1ba@suya.place and @rosey@neko.computer) that Elixir 1.14 is causing unneeded headaches because this version is still not available in the official [Erlang Solutions repository](https://www.erlang-solutions.com/downloads/). A solution to this is to make sure Akkoma runs on 1.13.4, alternatively the security fix can be backported to release 2023.03, which is the last version that still runs on a Elixir version available in the official repository. If this is not possible and we want to make the [asdf](https://github.com/asdf-vm/asdf) version manager the only supported version manager for Akkoma the docs should reflect probably that. The Soapbox installation guide explains how to use asdf quite well as an example: https://soapbox.pub/install/

floatingghost commented 2023-05-30 12:53:35 +00:00

Owner

Copy link

no

no

floatingghost closed this issue 2023-05-30 12:53:35 +00:00

SuperDicq commented 2023-05-30 13:01:05 +00:00

Author

Copy link

Could you explain why this is getting completely dismissed without explanation?

I would personally be willing to add asdf instructions to the docs if backporting or lowering the version requirement is not an option.

Could you explain why this is getting completely dismissed without explanation? I would personally be willing to add asdf instructions to the docs if backporting or lowering the version requirement is not an option.

floatingghost commented 2023-05-30 13:05:15 +00:00

Owner

Copy link

the "backport" suggestion is mindbogglingly silly and should be embarrassing to even think of

we support the version as specified in the documentation, the tools to use the versions specified are listed in the docs

your issue suggests both lowering the requirement which would cause a regression, or doing something idiotic, neither of which are particularly good ideas

the "backport" suggestion is mindbogglingly silly and should be embarrassing to even think of we support the version as specified in the documentation, the tools to use the versions specified are listed in the docs your issue suggests both lowering the requirement which would cause a regression, or doing something idiotic, neither of which are particularly good ideas

SuperDicq commented 2023-05-30 13:14:59 +00:00

Author

Copy link

The docs do list asdf, but it doesn't give instructions on how to use it.

On the Debian or Ubuntu page for example the docs still suggest to install Elixir using the APT package manager, which is currently impossible. This will result in unnecessary hardship that could prevent some users from installing or updating Akkoma in the first place.

I personally think it is not a good idea to make the minimum required version a version that is not available in most repositories, but you're right it might be "idiotic" to reduce the minimum version at the current point in time and cause regression.

Then please consider this post a suggestion to least think about availability next time before moving the Akkoma to a new Elixir version maybe.

The docs do list asdf, but it doesn't give instructions on how to use it. On the Debian or Ubuntu page for example the docs still suggest to install Elixir using the APT package manager, which is currently impossible. This will result in unnecessary hardship that could prevent some users from installing or updating Akkoma in the first place. I personally think it is not a good idea to make the minimum required version a version that is not available in most repositories, but you're right it might be "idiotic" to reduce the minimum version at the current point in time and cause regression. Then please consider this post a suggestion to least think about availability next time before moving the Akkoma to a new Elixir version maybe.

a1batross commented 2023-05-30 14:26:29 +00:00

Copy link

the tools to use the versions specified are listed in the docs

Documentation doesn't really tell anything about asdf, and if I didn't know about it beforehand, it would be a complex quest to understand how it works too.

It's unfortunate that latest Elixir can't be installed from repositories, so asdf should be in the docs instead. And it's not like we use outdated operating systems, both Debian Stable and Ubuntu LTS doesn't package latest Elixir, and Elixir Solutions repository simply ignores these Debian/Ubuntu releases.

For myself, I ended up installing asdf to a user Akkoma runs from, which is documented in asdf docs. The only problem was modifying systemd service to directly call asdf wrappers, but it's easy, just replace Environment and ExecStart:

Environment="PATH=/var/lib/pleroma/.asdf/shims:/var/lib/pleroma/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
ExecStart=/var/lib/pleroma/.asdf/shims/mix phx.server

>the tools to use the versions specified are listed in the docs Documentation doesn't really tell anything about `asdf`, and if I didn't know about it beforehand, it would be a complex quest to understand how it works too. It's unfortunate that latest Elixir can't be installed from repositories, so `asdf` should be in the docs instead. And it's not like we use outdated operating systems, both Debian Stable and Ubuntu LTS doesn't package latest Elixir, and Elixir Solutions repository simply ignores these Debian/Ubuntu releases. For myself, I ended up installing `asdf` to a user Akkoma runs from, which is documented in `asdf` docs. The only problem was modifying systemd service to directly call `asdf` wrappers, but it's easy, just replace `Environment` and `ExecStart`: ```ini Environment="PATH=/var/lib/pleroma/.asdf/shims:/var/lib/pleroma/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ExecStart=/var/lib/pleroma/.asdf/shims/mix phx.server ```

a1batross referenced this issue 2023-05-30 14:28:12 +00:00

[bug] Better explain Elixir installation through asdf in the docs #557

XxXCertifiedForkliftDriverXxX referenced this issue 2023-05-30 22:30:37 +00:00

Remove from-source support for Debian 11/Ubuntu 22.04 LTS. #558

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

translations

customizable-docker-db

stable

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#556

No description provided.