[desktop] --no-sandbox does not prevent the SUID abort when added from JS (#1706)

- Revert the workaround
- Document the behaviour I observed
- (Unrelated) Add the other CHANGELOG entries in preparation for the
release

desktop/CHANGELOG.md

@@ -2,11 +2,17 @@
 
 ## v1.7.0 (Unreleased)
 
-v1.7 is a major rewrite to improve the security of our app. We have enabled
-sandboxing and disabled node integration for the renderer process. All this
-required restructuring our IPC mechanisms, which resulted in a lot of under the
-hood changes. The outcome is a more secure app that also uses the latest and
-greatest Electron recommendations.
+v1.7 is a major rewrite to improve the security of our app. In particular, the
+UI and the native parts of the app now run isolated from each other and
+communicate only using a predefined IPC boundary.
+
+Other highlights:
+
+-   View your photos on big screens and Chromecast devices by using the "Play
+    album on TV" option in the album menu.
+-   Support Brazilian Portuguese, German and Russian.
+-   Provide a checkbox to select all photos in a day.
+-   Fix a case where the dedup screen would not refresh after removing items.
 
 ## v1.6.63
 

desktop/src/main.ts

@@ -133,15 +133,6 @@ const registerPrivilegedSchemes = () => {
     ]);
 };
 
-/**
- * The Chromium sandbox causes the app to fail to run on various Linux
- * distributions. Reproducible on Ubuntu 24.
- *
- * See: https://github.com/electron/electron/issues/17972
- */
-const suidWorkaroundOnLinux = () =>
-    process.platform == "linux" && app.commandLine.appendSwitch("--no-sandbox");
-
 /**
  * Create an return the {@link BrowserWindow} that will form our app's UI.
  *
@@ -365,7 +356,6 @@ const main = () => {
 
     initLogging();
     logStartupBanner();
-    suidWorkaroundOnLinux();
     // The order of the next two calls is important
     setupRendererServer();
     registerPrivilegedSchemes();

docs/docs/photos/troubleshooting/desktop-install/index.md

@@ -9,6 +9,19 @@ The latest version of the Ente Photos desktop app can be downloaded from
 [ente.io/download](https://ente.io/download). If you're having trouble, please
 see if any of the following cases apply.
 
+## Windows
+
+If the app stops with an "A JavaScript error occurred in the main process - The
+specified module could not be found" error on your Windows machine when you
+start it, then you might need to install the VC++ runtime from Microsoft.
+
+This is what the error looks like:
+
+![Error when VC++ runtime is not installed](windows-vc.png){width=500px}
+
+You can install the Microsoft VC++ redistributable runtime from here:<br/>
+https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-microsoft-visual-c-redistributable-version
+
 ## AppImages on ARM64 Linux
 
 If you're on an ARM64 machine running Linux, and the AppImages doesn't do
@@ -21,13 +34,13 @@ sudo ln -s /usr/lib/aarch64-linux-gnu/libz.so{.1,}
 
 It is possible that the exact path might be different on your machine. Briefly,
 what we need to do is create `libz.so` as an alias for `libz.so.1`. For more
-details, see the following bugs in upstream repositories:
+details, see the following upstream issues:
 
 -   libz.so cannot open shared object file on ARM64 -
-    [/github.com/AppImage/AppImageKit/issues/1092](https://github.com/AppImage/AppImageKit/issues/1092)
+    [AppImage/AppImageKit/issues/1092](https://github.com/AppImage/AppImageKit/issues/1092)
 
 -   libz.so: cannot open shared object file with Ubuntu arm64 -
-    [github.com/electron-userland/electron-builder/issues/7835](https://github.com/electron-userland/electron-builder/issues/7835)
+    [electron-userland/electron-builder/issues/7835](https://github.com/electron-userland/electron-builder/issues/7835)
 
 ## AppImage says it requires FUSE
 
@@ -40,15 +53,23 @@ tl;dr; for example, on Ubuntu,
 sudo apt install libfuse2
 ```
 
-## Windows
+## Linux SUID error
 
-If the app stops with an "A JavaScript error occurred in the main process - The
-specified module could not be found" error on your Windows machine when you
-start it, then you might need to install the VC++ runtime from Microsoft.
+On some Linux distributions, if you run the AppImage from the CLI, it might fail
+with the following error:
 
-This is what the error looks like:
+> The SUID sandbox helper binary was found, but is not configured correctly.
 
-![Error when VC++ runtime is not installed](windows-vc.png){width=500px}
+This happens when you try to run the AppImage from the command line. If you
+instead double click on the AppImage in your Files browser, then it should start
+properly.
 
-You can install the Microsoft VC++ redistributable runtime from here:<br/>
-https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-microsoft-visual-c-redistributable-version
+If you do want to run it from the command line, you can do so by passing the
+`--no-sandbox` flag when executing the AppImage. e.g.
+
+```sh
+./ente.AppImage --no-sandbox
+```
+
+For more details, see this upstream issue on
+[electron](https://github.com/electron/electron/issues/17972).