[Feature Request] Open Build Service Repos for Popular Distros (Fedora, Ubuntu, openSUSE, etc)

[Arcitec]

Motivation

I'd like to install Vesktop for my 70 year old mother, but there's no way that she can keep up with installing .rpm files manually.

Solution

Is there any chance of creating a Fedora COPR repo? It's possible to make GitHub web-hooks that trigger COPR's infrastructure to automatically build such a repo's RPM file from the latest source code after every release, for example:

https://copr.fedorainfracloud.org/

Then Fedora users can run the following commands:

sudo dnf copr enable @vencord/vesktop
sudo dnf install vesktop

After that, the repo would be part of the system and vesktop updates would automatically be installed as regular system updates by GNOME Software, KDE Discover, etc.

Edit: I suggest Open Build Service instead. See followup comments.

Alternatives

I considered teaching my 70 year old mother how to run terminal commands. It's about as successful as teaching her to make space rockets, though. 😆

Additional context

Additionally, I noticed that the current Fedora RPM that you build installs some temporary build files in /usr/lib/.build-id.

Those files can (and should... :)) be excluded from the RPM packaging. I am not sure about the exact process for that, but possibly something like rm -rf /usr/lib/.build-id in the RPM build script.

However, I think a Fedora COPR build, which is handled automatically by Fedora's own infrastructure, won't have that problem. So that seems like an easier solution.

$ rpm -qlp ./vesktop-1.5.3.x86_64.rpm 

...
/opt/Vesktop/vk_swiftshader_icd.json
/usr/lib/.build-id
/usr/lib/.build-id/01
/usr/lib/.build-id/01/4cf96203aed6b44b362f930a85553ebe5ba70c
/usr/lib/.build-id/31
/usr/lib/.build-id/31/18e8c152e4ef215bc843fbb3ab9281877f7ada
/usr/lib/.build-id/5d
/usr/lib/.build-id/5d/1adb7e2eac034a2991598c0c8e41f4b1ad19ee
/usr/lib/.build-id/87
/usr/lib/.build-id/87/003aa4689d6ea1fd547c9c771e443afdb6d9a2
/usr/lib/.build-id/a8
/usr/lib/.build-id/a8/bead032b728141d97788324d6540887ae9caf2
/usr/lib/.build-id/d1
/usr/lib/.build-id/d1/916793f4e30631cc25f5c01cfd5712a19f99d6
/usr/lib/.build-id/e0
/usr/lib/.build-id/e0/d994ca1d7810114cf0e469ea499412d46e017f
/usr/lib/.build-id/f4
/usr/lib/.build-id/f4/f4df1c78477202a87b3207a0488cd9196e3ed7
/usr/share/applications/vesktop.desktop
...

Request Agreement

• I have searched the existing issues and found no similar issue
• This is not a plugin request
• This is not a Vencord bug report

[Vendicated]

Vesktop RPM already supports auto update! it should automatically update itself whenever there is an update. and you could also use appimage or flatpak which have their own updaters. So I don't think there is much reason for us to host a repo

---

the tmp file issue has already been fixed via 75354ad and will make it into the next release

[Arcitec]

Hmm okay, that's surprising. I wouldn't have thought that Vesktop could update itself when it's installed to a system (read-only) location.

Hopefully the app container itself auto-updates, not just the internal web code. Since Electron exploits can appear over time and it's important to have an updated app runtime binary (Electron Chrome Sandbox).

I guess I'll wait and find out if that works. :)

There is a non-zero risk that it behaves exactly like official Discord: Only downloads and runs the internal HTML/JS app (which lives in some writable ~/.local/share/ location), but doesn't update the Electron runtime itself (/opt/Vesktop/chrome-sandbox). If that's the case, a repo like COPR would be necessary for safety.

Glad to see that the temp file issue was fixed by the way. Thanks! :)

[Arcitec]

I read the https://www.electron.build/auto-update page now and it behaves exactly as I feared: It only updates the internal HTML/JS/CSS but doesn't update the Electron runtime (so /opt/Vesktop/chrome-sandbox never gets security fixes). Which will then stagnate over time and have exploits.

That's only solvable by setting up a repo such as COPR. Which can be done via GitHub web hooks so that anytime a release is tagged here at Vesktop, it fetches the source code and makes a RPM automatically.

There's also other build services such as Open Build Service (OBS) which can create package manager repos for a lot of different distros at once. I just remembered it:

https://openbuildservice.org/

I am aware that some projects use OBS for Fedora distribution but I've never tried installing something from their build service on Fedora. I'd assume that it works, and it supports a LOT of distros. It's the official build service of the openSUSE project.

Since security matters to Vesktop, I would strongly suggest considering a move of all distribution to Open Build Service, which means that users of all kinds of distros will have automatic updates of the runtime.

Then your users will receive Vesktop Electron Runtime updates via System updates and will not have old, exploitable Electron bugs. It also helps ensure that the Vesktop application and all of its features are performant and bug-free since Electron improves over time.

[Arcitec]

@Vendicated I just found absolute confirmation that this ticket should be reopened:

https://www.electronjs.org/docs/latest/api/auto-updater

Platform Notices

Currently, only macOS and Windows are supported. There is no built-in support for auto-updater on Linux, so it is recommended to use the distribution's package manager to update your app.

I would recommend the aforementioned Open Build Service since that's gonna nail a lot of distros in one simple build service. ❤️

---

Can the Open Build Service build package for other distributions ?

Yes, we currently support RPM and debian packages. Beside openSUSE and SUSE Linux Enterprise, we support Debian, Ubuntu, Fedora and Mandriva distributions.

[Vendicated]

I read the https://www.electron.build/auto-update page now and it behaves exactly as I feared: It only updates the internal HTML/JS/CSS but doesn't update the Electron runtime (so /opt/Vesktop/chrome-sandbox never gets security fixes). Which will then stagnate over time and have exploits.

it updates the entire app

I just found absolute confirmation that this ticket should be reopened:
https://www.electronjs.org/docs/latest/api/auto-updater

this is not what vesktop uses.

[Arcitec]

this is not what vesktop uses.

Ah okay, thanks again for the clarification then. :) Glad to hear it that you're updating the entire app!

[Arcitec]

I had never seen an update of the engine, but today it finally happened. When shutting down Discord, it opened a system authentication popup, and I could see that it wanted to run dnf remove vesktop. I then checked with ps and saw that it also ran dnf -y install /home/johnny/.cache/vesktop-updater/pending/vesktop-1.5.4.x86_64.rpm.

Afterwards, the contents of the Chromium engine binaries have finally changed:

  File: /opt/Vesktop/vesktop
  Size: 186276400 	Blocks: 363824     IO Block: 4096   regular file
Device: 0,43	Inode: 22903632    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:usr_t:s0
Access: 2024-12-07 16:06:17.299532578 +0100
Modify: 2024-12-05 20:55:15.000000000 +0100
Change: 2024-12-07 15:39:05.992398631 +0100
 Birth: 2024-12-07 15:39:04.227433112 +0100
  File: /opt/Vesktop/libffmpeg.so
  Size: 2691504   	Blocks: 5264       IO Block: 4096   regular file
Device: 0,43	Inode: 22903568    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:lib_t:s0
Access: 2024-12-07 16:06:17.300532558 +0100
Modify: 2024-12-05 20:55:14.000000000 +0100
Change: 2024-12-07 15:39:05.991398651 +0100
 Birth: 2024-12-07 15:39:03.730442821 +0100

(Before update, the dates were 2024-07-04, which was the release date of the previous version, 1.5.3.)

So I am really happy to finally confirm that the RPM-based installer will auto-update despite not having a repository for doing so. Very nice.

[Arcitec]

The only uncool thing about the lack of a repository is that update-packages remain in ~/.cache/vesktop-updater. 75MB of wasted space. rm -rf ~/.cache/vesktop-updater after the update has installed itself will take care of that though.

[Vendicated]

we use electron-updater for updating. if you have an issues with the updating process, you should bring them up in this repo https://github.com/electron-userland/electron-builder

[Arcitec]

@Vendicated Thanks, will mention the leftover package to them since it makes no sense to keep the temp directory that's literally named "pending" forever (~/.cache/vesktop-updater/pending/vesktop-1.5.4.x86_64.rpm). :)

Update: electron-userland/electron-builder#8730