this post was submitted on 10 Oct 2023
845 points (97.0% liked)

Programmer Humor

32690 readers
332 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 94 points 1 year ago (3 children)

*Badly outdated Chrome with a bunch of critical vulnerabilities.

Don't forget every Electron app comes with its own Chrome.

[–] qaz 43 points 1 year ago* (last edited 1 year ago) (2 children)

Last time I checked the version Electron used by Discord was severely out of date causing several issues that had been solved months ago upstream. That’s the fault of Discord, not Electron but there are several issues with Chromium that I have to deal with on every Electron app I use. Compose sequences are still partially broken. I reported it at Chromium but they responded with a video of them testing it on Windows (not with a VM), said they couldn’t reproduce the issue (with a Linux specific input method?!) and then marked it as unreproducible.

[–] [email protected] 23 points 1 year ago (3 children)

Wait, you're telling me that Discord is probably still vulnerable to the Webp RCE vulnerability?

[–] [email protected] 19 points 1 year ago

They use plain text and there biggest shareholder is the Tencent (the CCP let's be real) are you surprised? It's literally a data farm for China...

[–] dinckelman 7 points 1 year ago

They updated to a version that included a patch for that exploit, however it doesn't matter in the grand scheme of things, because they're still on 22.x, support for which has already been terminated

[–] qaz 7 points 1 year ago

They probably manually added the patch.

[–] [email protected] 10 points 1 year ago (1 children)

Problem is, for any somewhat big project (like discord) updating Electron without something breaking is a nightmarishly complex venture as Electron doesn't seem to care about backwards compatibility.

[–] [email protected] 12 points 1 year ago (1 children)

The error is in picking Electron in the first place. One particular case that I've had with several Electron apps are zombie processes. You close the window, but you check the task manager and see 4-5 processes hanging in there, eating resources for no reason.

[–] qaz 3 points 1 year ago* (last edited 1 year ago) (1 children)

I agree that it’s silly to package your app as a website with a browser but what other options do you have? GTK is difficult to get working on Windows, wxwidgets requires installing libraries on every system and Qt is either paid or LGPL. The only real crossplatform options seem to be Flutter and some .NET frameworks.

[–] [email protected] 4 points 1 year ago

FreePascal + Lazarus have been desktop crossplatform for many years. "But it's Pascal! Nobody uses Pascal! And the defaults are fugly!", fair enough, but it offers compatible crossplatform UI with a single codebase.

Java also lets you write UI stuff and keep a single codebase for multiple platforms, thanks to the JVM. It always looks "weird" or "ugly" next to whatever OS's default UI is and also needs a compatible JRM installed, but it works.

Nowadays, web/javascript projects can opt for Tauri or Neutralinojs instead of Electron. They use the OS's native HTML renderer, no browser required.

[–] [email protected] 10 points 1 year ago

And they thought snaps were dumb

[–] rdri 5 points 1 year ago* (last edited 1 year ago)

Steam is using CEF v85 (not Electron but still). Should have gone "please be aware to not visit even slightly shady websites until we update it" but instead went "oh you must like security, so we announce that we will drop Windows 7/8 support in half a year (because ~~CEF~~ Microsoft doesn't support it anymore) so you could play your games more securely".