polymc,prismlauncher: replace PolyMC with PrismLauncher

[Minion3665]

Description of changes

• PolyMC is no longer secure (see OVE-20221017-0001: PolyMC appears to be compromised #196460)
• PolyMC maintainers have made a fork, prismlauncher, which is a continuation and should be used instead
• This PR removes PolyMC, aliasing it to an error, and adds prismlauncher
• This PR will close Replace PolyMC with successor #196480

What still needs to be done

• Release notes need to be updated
• tomlplusplus: init at 3.2.0 #193038 needs to be merged, I've cherry-picked stuff here so that this can be tested, but this is not ideal for merging (this was merged and I have dropped the cherry-picked commits)
• The PolyMC maintainers need to be asked if they want to be prismlauncher maintainers (and should probably decide if they want PolyMC to be removed as done here or if they would prefer it to have a security vulnerability added instead)
• We need to either merge [Backport release-22.05] maintainers: add Scrumplex and minion3665, tomlplusplus: init at 3.2.0, prismlauncher: init at 5.0 #196721 (which backports maintainer additions and tomlplusplus: init at 3.2.0 #193038) or not backport this (and move the release notes back into 22.11) We'll be backporting manually, we won't be backporting the PolyMC removal commits (just the addition of PrismLauncher) so the release notes have been amended to note this

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[LunNova]

cc @cleverca22 @starcraft66

[Scrumplex]

The PolyMC maintainers need to be asked if they want to be prismlauncher maintainers (and should probably decide if they want PolyMC to be removed as done here or if they would prefer it to have a security vulnerability added instead)

I would love to be a co-maintainer. I don't use NixOS on my desktop yet, but I am still interested in packaging the app for Nix.

[Minion3665]

The PolyMC maintainers need to be asked if they want to be prismlauncher maintainers (and should probably decide if they want PolyMC to be removed as done here or if they would prefer it to have a security vulnerability added instead)

I would love to be a co-maintainer. I don't use NixOS on my desktop yet, but I am still interested in packaging the app for Nix.

Sure! For that todo to be checked off I more meant the people who previously maintained the PolyMC package, however I have added you to the maintainer list

[Minion3665]

As we're backporting to 22.05, I'm going to move the release-note changes from 22.11 to 22.05 (and modify the existing notes about PolyMC there)

[LunNova]

I might've messed up adding the backport with how close it is to 22.11 - @SuperSandro2000 removed my backport tag on the PR this depends on.

[Minion3665]

One very minor thing that most likely is not an issue with nix packaging though: The news feed still shows the PolyMC news.

Yep, I can see that too
I'll bring it up in the discord server they're already aware and there's discussion in the #development discord channel about it

[Scrumplex]

can't test right now, but package LGTM

[LunNova]

the PR just needs to be manually done
~ sandro on matrix

So I think we merge this PR with changes for the 22.11 release notes including the removal of polymc, and for 22.05 a manual backport PR which changes the 22.05 notes and is worded differently because the polymc package isn't getting removed there.

[Minion3665]

the PR just needs to be manually done
~ sandro on matrix

So I think we merge this PR with changes for the 22.11 release notes including the removal of polymc, and for 22.05 a manual backport PR which changes the 22.05 notes and is worded differently because the polymc package isn't getting removed there.

Sounds good to me, I'll add another commit for updating the 22.11 release notes for easy cherry-picking

When we backport, we might consider putting it in #196721, as that only exists to be a dependency for this backport

[SuperSandro2000]

There is no need for removing polymc and replacing it in my opinion, marking it as insecure is sufficient. We don't want to patronize our users, we just want to make them aware of the situation. It is up to them whether they trust the remaining developers and want to continue polymc or not.

MultiMC, PolyMC and PrismLauncher all utilize a meta data server so that the clients know which jar files to download. This is basically RCE by design. The sole last developer that kicked all other developers from everything, so far also attracted attention by having a domestic terrorism manifest in his Steam bio. Also the majority of active developers moved to PrismLauncher as a consqeuence of this hostile takeover which makes this more or less a rename of PolyMC.

[Minion3665]

the PR just needs to be manually done
~ sandro on matrix

So I think we merge this PR with changes for the 22.11 release notes including the removal of polymc, and for 22.05 a manual backport PR which changes the 22.05 notes and is worded differently because the polymc package isn't getting removed there.

Sounds good to me, I'll add another commit for updating the 22.11 release notes for easy cherry-picking

When we backport, we might consider putting it in #196721, as that only exists to be a dependency for this backport

I've updated the release notes for 2211 and 2205 to do that. On the todo list we're now only waiting for confirmation that we want to remove PolyMC entirely, preferably by @cleverca22 and @starcraft66

[piegamesde]

I am still against deleting the polymc package for now, and strongly against doing so on stable.

• Having marked the polymc package as insecure serves the purpose of informing users of the situation, and letting make their own decision
• People are free to opt-in into using polymc if they choose to trust its developer(s)
• We can still remove the polymc package once everybody has moved on
• The polymc package does not need any to have any maintainers for now.
• I'm not sure whether we have a formal stability policy for the stable channels, but I'd consider deleting package attributes an absolute no-go.

[LunNova]

Removal isn't getting backported.

[SuperSandro2000]

The polymc package does not need any to have any maintainers for now.

The problem is that it fetches all java libraries for Minecraft with the information from a remote server. Even if we freeze the package in the current state it can't be considered safe to use in the default configuration and is not from the remaining developers. It would be irresponsible to keep it.

[piegamesde]

@SuperSandro2000 I totally get your point, but I don't see a contradiction to what I said. And this is not a question of security or safety, but one about trust.

[SuperSandro2000]

I don't think that the remaining polymc developer is trustworthy at all based on the actions in the last day(s).

[LunNova]

Security in the context of a package with by-design RCE requires trust.

You can't split them! Security always needs trust, if you don't review every change yourself.

[oxalica]

Offline game works. LGTM as changes on master.