New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to Install Decidim due to a bug in a dependency (seven_zip_ruby) #12408
Comments
Hi, |
Thanks for bringing this up @Ph0tonic To bring you some context, we're using this gem for this feature: http://github.com/decidim/decidim/tree/develop/decidim-core/app/services/decidim/download_your_data_exporter.rb - Basically it's adding a password protected zip file In #8516 we mentioned:
The problem is that there are two kind of encryption in zip files:
We've chosen the more secure option. Ideally we could migrate to rubyzip, as it's more supported, but they don't offer AES support. There's an open PR but it seems like it doesn't have much activity: rubyzip/rubyzip#179 Finally, to propose some ways of fixing this and have a better discussion, these is what I come up with:
I'll bring this up in the next @decidim/product meeting explaining the problem to see which solution we will implement, but if there's another alternative that I'm missing, please share it 😄 |
Hi, Maybe we could in a first step switch to this dependency to unblock the situation and then take some time to implement one of the other alternative which might take some time. |
I agree this is a problem deploying Decidim to any PaaS service and also an inconvenience with fully owned machines that do not have user-specific Rubies installed (need to do some manual I have posted a suggestion about an alternative approach to the data exports to MetaDecidim: With this, the exported document wouldn't need to be encrypted at the client side as it would be served through the user session which is already authenticated with their login credentials. And we could control from the Decidim service side what would be required to download those files, e.g. requiring the user to enter their password to download this file (if it is seen necessary). Of course, this is much more work than the current approach, but I believe
|
I don't like using a fork that doesn't have at least a bit of community behind, as it may be abandoned in sometime from now or could have security issues
On this case the original idea was protecting from accessing the data export through the email (so, with the proposal from @ahukkanen that would be solved), but also protection in the local machine (like in public/shared computers and things like that). I think that with the current state of the gems (without AES support) what we could do:
These two could be implemented as fixes so they can be backported and solve this bug. Then for next versions (aka features, so they can't be backported): a. Keep track if/when rubyzip implements AES sometime |
I understand your point but both repo have basically no community, so maybe we should choose the one which is not buggy between the 2. And it would allow for a first fix which wouldn't take too much effort. |
Hi,
I am currently unable to install the latest version of Decidim due to a bug with one of its dependencies (seven_zip_ruby), see :
Despite the PR created more than one year ago, no solution has been made available :
Furthermore, this lib hasn't been updated for 3.5 years.
This issue is blocking installations on non-admin systems.
I identified a fork which has been updated and has fixed this library :
Could it be an option to migrate to this new library or another one ? I noticed that the idea of changing this library had already been discussed a while back here: #8516
Thanks so much for your work !
The text was updated successfully, but these errors were encountered: