From the release notes [1]:
* Fix a vulnerability caused by Cross-Origin Resource Sharing (CORS)
in the JSONRPC interface. Previous versions of Electrum are
vulnerable to port scanning and deanonimization attacks from
malicious websites. Wallets that are not password-protected are
vulnerable to theft.
See this [2] for explanation.
[1] https://github.com/spesmilo/electrum/blob/3.0.4/RELEASE-NOTES
[2] https://github.com/spesmilo/electrum/issues/3374
Note that due to runtime impurities, non-NixOS users must prepend and export
QT_PLUGIN_PATH=${qt5.qtbase.qtPluginPrefix}
and
LD_LIBRARY_PATH=/run/opengl-driver/lib
before running electrum, lest it fail to find runtime dependencies or pick
up mismatching libraries from the host system.
Since 9c57f3b5c0 bumped the protobuf
version because the new upstream requires it, electrum now gets
protobuf3_0 *and* protobuf3_2 instead of just one version.
This leads to the following build errer:
Found duplicated packages in closure for dependency 'protobuf':
protobuf 3.0.2 (...-python2.7-protobuf-3.0.2/lib/python2.7/site-packages)
protobuf 3.2.0 (...-python2.7-protobuf-3.2.0/lib/python2.7/site-packages)
Using protobuf3_2 for keepkey and electrum fixes the build.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @np
See https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
Also
- patch .desktop file to include full path to electrum
- add dep on pysocks
- remove dep on pyasn; per the changelog, it has not been used since v2.1
- replace dep on slowaes with pyaes
The icon resource file captures the build timestamp, introducing an
element of indeterminism. Fix by patching out the timestamp.
This allows
```sh
nix-build --check -A electrum
```
to succeed.
