Disclosing E2EE vulnerability in multiple Matrix c...

[callahad]

Element did coordinate with the F-Droid packagers on behalf of both Element Android and SchildiChat.

Because F-Droid runs their own builds and requires published source code, there is no mechanism for pre-building and staging security releases for issues which are not yet publicly disclosed.

That said, the packager was extremely helpful and prepared the metadata updates in advance to ensure that both applications could enter the build queue as quickly as possible upon release:

- Element 1.2.2: https://gitlab.com/fdroid/fdroiddata/-/commit/76c8f5b87aa8df...

- SchildiChat 1.2.2.sc43: https://gitlab.com/fdroid/fdroiddata/-/commit/232b316f8affe0...

[nybble41]

> Because F-Droid runs their own builds and requires published source code, …

That seems… completely reasonable for distributors of open-source projects. Mandatory, even, for compliance many open-source licenses. Are you saying there are other open source repositories (e.g. Linux distros) which would not require published source code before distributing binaries?

[callahad]

I wouldn't go that far. What I meant is more that Element would've been willing to share our private source tree for Element Android 1.2.2 with F-Droid several days in advance of disclosure, if it meant that they could pre-build the binaries and have them ready to ship the moment that the source was made public.

(After verifying that the public source is identical to the privately shared copy, of course.)

[m4rtink]

Do you need a full source tree for this ? IIRC major Linux distros do this via preliminary disclosure to a private mailing list possibly with a patch attached.

That way distros can do a local build to verify the patch works and fixes the issue & they then apply the patch in their public infra right after the embargo runs out.

[eighthave]

This patch workflow would also work with F-Droid. I don't know of any other workflows for this situation.