Backport recent security fixes to 2023.03 or to Elixir 1.13.4 #556

Closed
opened 2023-05-30 12:39:37 +00:00 by SuperDicq · 5 comments

I've heard from multiple admins (Myself, @a1ba@suya.place and @rosey@neko.computer) that Elixir 1.14 is causing unneeded headaches because this version is still not available in the official Erlang Solutions repository.

A solution to this is to make sure Akkoma runs on 1.13.4, alternatively the security fix can be backported to release 2023.03, which is the last version that still runs on a Elixir version available in the official repository.

If this is not possible and we want to make the asdf version manager the only supported version manager for Akkoma the docs should reflect probably that.

The Soapbox installation guide explains how to use asdf quite well as an example: https://soapbox.pub/install/

I've heard from multiple admins (Myself, @a1ba@suya.place and @rosey@neko.computer) that Elixir 1.14 is causing unneeded headaches because this version is still not available in the official [Erlang Solutions repository](https://www.erlang-solutions.com/downloads/). A solution to this is to make sure Akkoma runs on 1.13.4, alternatively the security fix can be backported to release 2023.03, which is the last version that still runs on a Elixir version available in the official repository. If this is not possible and we want to make the [asdf](https://github.com/asdf-vm/asdf) version manager the only supported version manager for Akkoma the docs should reflect probably that. The Soapbox installation guide explains how to use asdf quite well as an example: https://soapbox.pub/install/

no

no
Author

Could you explain why this is getting completely dismissed without explanation?

I would personally be willing to add asdf instructions to the docs if backporting or lowering the version requirement is not an option.

Could you explain why this is getting completely dismissed without explanation? I would personally be willing to add asdf instructions to the docs if backporting or lowering the version requirement is not an option.

the "backport" suggestion is mindbogglingly silly and should be embarrassing to even think of

we support the version as specified in the documentation, the tools to use the versions specified are listed in the docs

your issue suggests both lowering the requirement which would cause a regression, or doing something idiotic, neither of which are particularly good ideas

the "backport" suggestion is mindbogglingly silly and should be embarrassing to even think of we support the version as specified in the documentation, the tools to use the versions specified are listed in the docs your issue suggests both lowering the requirement which would cause a regression, or doing something idiotic, neither of which are particularly good ideas
Author

The docs do list asdf, but it doesn't give instructions on how to use it.

On the Debian or Ubuntu page for example the docs still suggest to install Elixir using the APT package manager, which is currently impossible. This will result in unnecessary hardship that could prevent some users from installing or updating Akkoma in the first place.

I personally think it is not a good idea to make the minimum required version a version that is not available in most repositories, but you're right it might be "idiotic" to reduce the minimum version at the current point in time and cause regression.

Then please consider this post a suggestion to least think about availability next time before moving the Akkoma to a new Elixir version maybe.

The docs do list asdf, but it doesn't give instructions on how to use it. On the Debian or Ubuntu page for example the docs still suggest to install Elixir using the APT package manager, which is currently impossible. This will result in unnecessary hardship that could prevent some users from installing or updating Akkoma in the first place. I personally think it is not a good idea to make the minimum required version a version that is not available in most repositories, but you're right it might be "idiotic" to reduce the minimum version at the current point in time and cause regression. Then please consider this post a suggestion to least think about availability next time before moving the Akkoma to a new Elixir version maybe.

the tools to use the versions specified are listed in the docs

Documentation doesn't really tell anything about asdf, and if I didn't know about it beforehand, it would be a complex quest to understand how it works too.

It's unfortunate that latest Elixir can't be installed from repositories, so asdf should be in the docs instead. And it's not like we use outdated operating systems, both Debian Stable and Ubuntu LTS doesn't package latest Elixir, and Elixir Solutions repository simply ignores these Debian/Ubuntu releases.

For myself, I ended up installing asdf to a user Akkoma runs from, which is documented in asdf docs. The only problem was modifying systemd service to directly call asdf wrappers, but it's easy, just replace Environment and ExecStart:

Environment="PATH=/var/lib/pleroma/.asdf/shims:/var/lib/pleroma/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
ExecStart=/var/lib/pleroma/.asdf/shims/mix phx.server
>the tools to use the versions specified are listed in the docs Documentation doesn't really tell anything about `asdf`, and if I didn't know about it beforehand, it would be a complex quest to understand how it works too. It's unfortunate that latest Elixir can't be installed from repositories, so `asdf` should be in the docs instead. And it's not like we use outdated operating systems, both Debian Stable and Ubuntu LTS doesn't package latest Elixir, and Elixir Solutions repository simply ignores these Debian/Ubuntu releases. For myself, I ended up installing `asdf` to a user Akkoma runs from, which is documented in `asdf` docs. The only problem was modifying systemd service to directly call `asdf` wrappers, but it's easy, just replace `Environment` and `ExecStart`: ```ini Environment="PATH=/var/lib/pleroma/.asdf/shims:/var/lib/pleroma/.asdf/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ExecStart=/var/lib/pleroma/.asdf/shims/mix phx.server ```
Sign in to join this conversation.
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#556
No description provided.