Epiphany - Flathub update for CVE-2022-29536?


First off, thanks a lot for Web / Epiphany. I switched to the Flatpak version from the Debian bullseye package last year (3.38 in bullseye often crashes for me) following the advice in your README and generally I find the Flatpak version to be an enjoyable experience to use.

I’ve noticed on a couple of occasions that the version on Flathub falls behind the latest release. At this time, Flathub is on 42.0, while the latest release is 42.2, which I understand contains a security fix for CVE-2022-29536.

Is there a plan to update the Flathub package?

All the best,

1 Like

I’m not sure if the flathub package has an active maintainer. :confused:

Thanks Michael, any idea how I might volunteer to help with that?

Seems most of the legwork is already done in the main Epiphany repo and the Flathub one is generally an updated URL and hash, for point releases at least. Have made a pull request on the Flathub repo and tested the resulting Flatpak works (on x86_64 at least) - hopefully it will be accepted at some point!

I am not actively maintaining it but I saw the 42.2 update and I merged it by the way.

1 Like

Well I see you figured this out on your own, considering your update has already been merged. I’m watching this repo too, so if nothing else we can at least respond to pull requests in a timely manner…

1 Like

Flathub has an update checker bot that could be setup for the epiphany module so that you don’t have to remember of opening a PR and it would be matter of testing the build and merging it.

1 Like

Certainly seems good to do. I only wonder why that’s not automatic!

1 Like

Thanks Bilal and Michael.

Looks like the updated checker bot is easy enough to add - I’ll make a pull request for that too. Do we want that just for Epiphany, or the dependencies too?

Note that the update checker only works for the main branch of every repository. Other branches are not yet supported.

Feel free to add that to other dependencies as well

1 Like

Ah really? So it won’t even notice if we release off of stable branches? That’s quite unfortunate…

You probably misunderstood @HarryMichal’s message, the bot only updates the main branch in the flathub repository and not the beta one if you are using that.


Ah, great. Well, we don’t need that since we have the GNOME nightly build, Epiphany Technology Preview.

Added for all except ‘elementary-icons’ and ‘elementary-stylesheet’, as they reference specific commits.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.