Raven (she/her/it) 
i just want to be able to use Signal directly in my browser and not run an electron app, sheesh
also also also!! u could run it as a PWA that way
0xda157 [daisy] 
@sparklepanic iirc they don't have that as an option primarily due to concerns about malicious extensions and general web browser security. does seem a bit silly, they could just have a pop-up on first open being like: "any extensions with can read your messages, review your extensions carefully before using signal in the browser" and that'd probably be enough
Maxx (she/her)@sparklepanic whats wrong with it using electron?
Flatpak Electron App Throws Error With `libhardened_malloc.so` · Issue #193 · secureblue/secureblue
I have tested several flatpak electron apps, including Signal, Slack, Freetube, all of them seems to give the following error: ERROR: ld.so: object '/var/run/host/usr/lib64/libhardened_malloc.so' f...
@sparklepanic hmm ill admit theres more security vulnerabilities in electron than an up to date chromium instance, but i think these guys are blowing things out of proportion a bit. and im not totally parsing the full discussion, but a lot of that seems specific to that os?
@JezebelTheApocryphal afaik it applies to all electron-based apps, and imo we should be working toward security-by-default
@JezebelTheApocryphal i still use electron-based apps right now but wanna see their use decline over time
@sparklepanic i mean the hardened_malloc discourse, thats os-specific. and then they get in the weeds about which other os-specific rendering engine is better? electron apps have built-in vulnernabilities ofc since theyre shipped with a certain version and only have opt-in security updates (if the devs release any at all). but that's not like some electron-exclusive issue, thats an issue with any distributed app
@JezebelTheApocryphal if by OS u mean "linux" sure (as hardened_malloc can be used in practically any distro)
and yes, in the thread they are talking about specific technologies but the point that electron-apps suck at being secure should still be fair game here
also the ux of electron apps isn't the greatest and tools like signal would be better off being able to be launched in the browser (they could make it only compatible with a recently patched browser for instance)
check this out! cool stuff
On traditional Linux-based operating systems, hardened_malloc can either be integrated into the libc implementation as a replacement for the standard malloc implementation or loaded as a dynamic library.
https://github.com/GrapheneOS/hardened_malloc?tab=readme-ov-file#os-integration
GitHub - GrapheneOS/hardened_malloc: Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability/integration over time.
Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based pl...
@sparklepanic and ux complaints should be sent to the devs lol. electron is a full node js stack, it can do any ux that you can display in any web browser
@JezebelTheApocryphal oh yeah, i get that. i just don't get why we need it to be this way and instead focus on developing well for the browser itself combined with PWAs would not need electron at all
@sparklepanic honestly just cause web-native apps werent as viable when electron got released, so it had mass adoption and a lot of staying power at this point. we'll transition to better webapps, but itll take time. in the mean time while were still stuck with them, i dont believe theyre as bad and vulnerable as everybody makes them out to be
@JezebelTheApocryphal i tend to have a more "security-by-default" viewpoint than you do but i hope ur right that things will improve!
@sparklepanic i do since the whole point of electron is to be cross-platform between :p and the security vulnerabilities are fair game, but just not much different from any other distributed app's vulnerabilities