Skip to content

helvum: drop#493796

Merged
Aleksanaa merged 1 commit into
NixOS:masterfrom
thunze:helvum-drop
Mar 4, 2026
Merged

helvum: drop#493796
Aleksanaa merged 1 commit into
NixOS:masterfrom
thunze:helvum-drop

Conversation

@thunze

@thunze thunze commented Feb 24, 2026

Copy link
Copy Markdown
Member

This package was marked as unmaintained upstream and depends on the vulnerable shlex 1.2.0.

Closes #493707

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@Hythera

Hythera commented Feb 24, 2026

Copy link
Copy Markdown
Contributor

Just looking at GitHub Search there are over 100 consumers.

@nixpkgs-ci nixpkgs-ci Bot requested a review from fufexan February 24, 2026 21:33
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Feb 24, 2026
@thunze

thunze commented Feb 24, 2026

Copy link
Copy Markdown
Member Author

Just looking at GitHub Search there are over 100 consumers.

While we don't have strict rules when it comes to removing packages, I still don't think we should keep a package around that

  • Didn't have any relevant upstream activity for more than 2 years
  • Was explicitly marked as unmaintained
  • Is potentially vulnerable (although to be fair, I haven't checked that the referenced vuln applies here)

@Hythera

Hythera commented Feb 24, 2026

Copy link
Copy Markdown
Contributor

Oh, I'm not against removing the package :) I'm just saying that this might affect a lot of users so linking a replacement or an alternative might be good idea in this case. RFC 180 describes a new process of removing packages which I think this PR complies with as most of the goals from it are not implemented yet.

@ninelore

Copy link
Copy Markdown
Member

New alternative popped up veeery recently https://github.com/dp0sk/crosspipe

Comment thread pkgs/top-level/aliases.nix Outdated
@thunze

thunze commented Feb 25, 2026

Copy link
Copy Markdown
Member Author

Oh, I'm not against removing the package :) I'm just saying that this might affect a lot of users so linking a replacement or an alternative might be good idea in this case.

Agreed! Is there any alternative that's already packaged in nixpkgs? I'm not very familiar with helvum.

RFC 180 describes a new process of removing packages which I think this PR complies with as most of the goals from it are not implemented yet.

Thanks for pointing out this RFC, interesting read!

@qweered qweered mentioned this pull request Feb 26, 2026
13 tasks
Comment thread pkgs/top-level/aliases.nix Outdated
This package was marked as unmaintained upstream [1] and depends on
the vulnerable shlex 1.2.0 [2].

[1] https://gitlab.freedesktop.org/pipewire/helvum
[2] https://www.cve.org/CVERecord?id=CVE-2024-58266
@Aleksanaa Aleksanaa added this pull request to the merge queue Mar 4, 2026
Merged via the queue into NixOS:master with commit 529a66c Mar 4, 2026
25 checks passed
@thunze thunze deleted the helvum-drop branch March 4, 2026 12:10
@SuperSandro2000

Copy link
Copy Markdown
Member

depends on the vulnerable shlex 1.2.0.

This is only a low severity CVE and from where should command injections come? From audio interface names? CVEs need to be assessed. Even a high or critical CVE in a package might only affect a part of it which is not even used or compiled by NixOS.

@thunze

thunze commented Mar 8, 2026

Copy link
Copy Markdown
Member Author

depends on the vulnerable shlex 1.2.0.

This is only a low severity CVE and from where should command injections come? From audio interface names? CVEs need to be assessed. Even a high or critical CVE in a package might only affect a part of it which is not even used or compiled by NixOS.

I intentionally did not assert that helvum was necessarily vulnerable.

@Aleksanaa

Copy link
Copy Markdown
Member

"relies on vulnerable dependencies" means "there's something the upstream should do but they didn't", which is a proof of being unmaintained

@SuperSandro2000

Copy link
Copy Markdown
Member

It can, but it can also mean that dumb scanners are used. Please take a read in this issue from gosu tianon/gosu#104 which very often has to fight with this and I must agree with the maintainer, uses a lot of time for very questionable benefit.

This is just as a general note. helvum is unmaintained which is admitted by upstream but just because some dependency has some low CVE does not mean anything is unmaintained or vulnerable. I have to fight with this on the weekly at my day job and using tools like govulncheck makes the churn from infinite to doable. Not sure if rust has something similar but if it has we absolute should run that on the upstream source code and down rank any CVE to LOW or not applicable.

@jn-sena

jn-sena commented May 17, 2026

Copy link
Copy Markdown
Member

it's back to being maintained and has new releases, can we have it back?

@Hythera

Hythera commented May 17, 2026

Copy link
Copy Markdown
Contributor

Just revert this PR :)

LuminarLeaf added a commit to LuminarLeaf/nixpkgs that referenced this pull request May 26, 2026
LuminarLeaf added a commit to LuminarLeaf/nixpkgs that referenced this pull request May 26, 2026
GirardR1006 pushed a commit to GirardR1006/nixpkgs that referenced this pull request May 29, 2026
GirardR1006 pushed a commit to GirardR1006/nixpkgs that referenced this pull request May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

helvum: unmaintained upstream

7 participants