Hacker News new | ask | show | jobs
by wbond 2817 days ago
> CVE-2018-11235 reported and fixed more than 4 months ago. Flatpak VSCode, Android Studio and Sublime Text still use unpatched git version 2.9.3.

Wait, what? We explicitly do not ship a Flatpak version of Sublime Text, and no version of Sublime Text comes with git.

After such inaccurate information, I can’t help but question the rest of the article.
2 comments
wbond 2817 days ago
After installing the flatpak of Sublime Text from the flathub maintainers, here is the result of looking for "git":

    wbond@u1804:/var/lib/flatpak/app/com.sublimetext.three$ find . -iname 'git' 
    wbond@u1804:/var/lib/flatpak/app/com.sublimetext.three$
link
v8engine 2817 days ago
I don't know about git integration but as for Flatpak version of Sublime Text, I found this:

https://flathub.org/apps/details/com.sublimetext.three

link
wbond 2817 days ago
Yes, it appears that the flathub maintainers have published Sublime Text under flathub. This is not an official distribution channel by us, and looking at the spec (https://github.com/flathub/com.sublimetext.three/blob/master...) it seems to rather automatically install Package Control, but also in a rather brittle way. Sigh.
link
nickik 2816 days ago
If many distros and people want to use a flatpak to install software even with these drawbacks that would be a good indication that it would be worth doing upstream.
link
wbond 2816 days ago
We currently provide a full complement of Linux package manager repositories, along with tarballs: https://www.sublimetext.com/docs/3/linux_repositories.html.
link
MayeulC 2816 days ago
I try to respect a self-imposed policy of not installing proprietary software that's not properly sandboxed, as I have little control over it (think about the Remote Code Execution hive that Steam games must be).

I do not use Sublime Text personally, but if I ever want to try it, I'd do it trough a flatpak. Yes, sandboxing permissions might not be perfect yet, but a little sandboxing is always better than none...

link
vetinari 2816 days ago
Have a look into flatpak too, otherwise in the not-so-distant future the users could have a problem.

For Fedora, they are planning switching to Silverblue around Fedora 30 (atomic system, rpms still supported, but jumping around the hoops).

link
wbond 2816 days ago
It will be interesting to see if Flatpak, Snap or AppImage ends up being the predominant force in the new wave of Linux packaging. Knowing Linux, users will probably expect projects to support all three. :-)
link