Consider shipping Electrum as an AppImage
Hello,
Several things happened lately that affected Electrum tool and lead to some open tickets on our bug tracker as well as annoyance to our users using this tool that get an “out of date” warning every time they send a transaction using Electrum:
- A “bug” was present in versions previous Electrum 3.3.3 that allowed to display to users arbitrary error messages sent by the server (servers are to be untrusted as per Electrum’s design, anybody can run one) - this particular rich text error message was suggesting to the users that the transaction was not broadcasted, and upgrade is needed and indicated a link with a malware Electrum that would steal all coins in the wallet. Losses were reported.
- Due to the policy we have in Tails, we need something to be in Debian `stable-backports` in order to ship it by default. The policies in Debian, until something makes it to `stable-backports` are not so perfect with these type of applications (that handle money / finances / value) which are constantly attacked and need ways for fast upgrades.
- The package maintainer of Electrum in Debian could not work on Debian due to some circumstances in the last period, and Electrum 3.2.3 was removed from `testing`, so no chance for `stable-backports`. Currently we have bug #912042 marked as blocker for Electrum in Debian BT, that one seams trivial to fix, but even so it does not help us. There are many other dependencies as well, some are not even in Debian at all, and with the Buster freeze, it is very tight to have Electrum 3.3.4 in Buster.
- As of yesterday, server ops decided to exploit a DoS bug in the client code previous of Electrum 3.3 which kills the network thread of the client, this disabling any client running something previous Electrum 3.3 to talk with a server. This was decided because even with all the warnings, social media / other channel notifications and highlights of urgency of update, blacklists of malicious servers implemented at server side, users did not upgrade to a non vulnerable version according to server statistics. The majority were running versions vulnerable to the rich text phishing attack and were getting robbed of coins. So, it was decided, in order to protect more users from getting robbed, better permanently cut them off from the network.
Given this just happened, there are many servers our there that did not upgrade yet and are talking just fine with clients running Electrum 3.1.3 (what we have in Tails now), with the only annoyance that they get that warning about “out of date” version every time they send a transaction.
However, very soon, the Electrum 3.1.3 that we have in Tails and `stable-backports` at the moment this text is being written will NOT be able to communicate with servers thus making this tool totally useless and unusuable.
There is an AppImage for Electrum 3.3.4 on the official website. Can we use it like this in Tails? As much as I read about AppImage, I find it quite good to be used with Tails in the sense as I see no overhead nor open doors to any fishy stuff. If there’s something more needed to make it work with Tails upstream, I can arrange for that. Then we just update the Electrum AppImage we ship from time to time. I am not sure if this is possible in our current system architecture, which is why I am bringing this up for discussion and looking forward to hear more opinions from devs.
Otherwise, we might be forced to take the unfortunate decision to stop including it, which would be of course make the users that got used to it not so happy, but it becomes harder and harder to keep up everything as Debian packages, not only Debian packages but also `stable-backports` Debian packages.
We could close: #15390 (closed), #16421 (closed), #9732, #15189 (closed), #15483 (closed), #16204 (closed) which are all about versions mismatch / out of date dependencies or missing recommended.
Related issues
- Related to #16204 (closed)
- Related to #16565 (closed)
- Related to #16421 (closed)
Original created by @s7r on 16564 (Redmine)