Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

$ pacman -Si cmake-fedora
Repository : community
Name : cmake-fedora
Version : 2.7.1-3
Description : CMake helper modules for fedora developers
Architecture : any
URL : https://pagure.io/cmake-fedora Licenses : custom:BSD
Groups : None
Provides : None
Depends On : cmake
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 90.94 KiB
Installed Size : 422.00 KiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 17 Apr 2017 06:39:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

Cataclysm-DDA contains a problematic license[0][1][2] for software.
Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.

$ pacman -Si cataclysm-dda
Repository : community
Name : cataclysm-dda
Version : 0.C-3
Description : A post-apocalyptic roguelike.
Architecture : x86_64
URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa
Groups : None
Provides : None
Depends On : ncurses lua
Optional Deps : sdl2_image: for tiles

                sdl2_ttf: for tiles
                freetype2: for tiles
                sdl2_mixer: for tiles

Conflicts With : None
Replaces : None
Download Size : 19.33 MiB
Installed Size : 53.32 MiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:

> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).

Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.

...

build() {
  cd $pkgname-$pkgver
  ./configure --prefix=/usr \
    --enable-shared \
    --disable-static \
    --enable-clipart \
    --enable-templates \
    --enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
                      eml epub freetranslation garble gdict gimp goffice grammar \
                      hancom hrtext iscii kword latex loadbindings mathview mht \
                      mif mswrite opendocument openwriter openxml opml ots paint \
                      passepartout pdb pdf presentation psion s5 sdw t602 urldict \
                      wikipedia wmf wml wordperfect wpg xslfo" \
    --enable-introspection
  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

...

Libreoffice contains Google API keys which affects privacy.

The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1].
This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

The aarch64-linux-gnu-linux-api-headers package from [community] compiles using the blobbed Linux kernel source[0], at Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1], since this issue is exactly the same as with linux-api-headers.

The solution is to simply compile using Linux-libre sources.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1] https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

Our current version is vulnerable

/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.

Summary

$ pacman -Si mupdf
Repositorio               : community
Nombre                    : mupdf
Versión                   : 1.11-1
Descripción               : Lightweight PDF and XPS viewer
Arquitectura              : x86_64
URL                       : http://mupdf.com
Licencias                 : AGPL3
Grupos                    : Nada
Provee                    : Nada
Depende de                : curl  desktop-file-utils  freetype2  harfbuzz  jbig2dec  libjpeg  openjpeg2  openssl
Dependencias opcionales   : Nada
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 18,18 MiB
Tamaño de la instalación  : 33,03 MiB
Encargado                 : Christian Hesse <arch@eworm.de>
Fecha de creación         : mar 11 abr 2017 05:22:41 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw

ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw

openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

• sh-elf-gcc (which depends on sh-elf-binutils)

• sh-elf-newlib

• arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)

• xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre

Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

The package is not compiled from source

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

The package contains nonfree car models

The package contains nonfree car and track models