Packages

CategoryTask TypePrioritySeveritySummaryStatusProgress
AnySecurity IssueVery HighCritical [gnome-mplayer] [gecko-mediaplayer] [gmtk] remove unsec ...Closed
100%
Task Description

Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

AnySecurity IssueVery HighCritical [freewrl] remove unsecure "libFreeWRLplugin.so" Closed
100%
Task Description

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

AnySecurity IssueVery HighCritical [xulrunner] unmaintained and unsupportable Closed
100%
Task Description

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

AnyFreedom IssueVery HighCritical [cmake-fedora] useful only for non-FSDG distros Closed
100%
Task Description

$ pacman -Si cmake-fedora
Repository : community
Name : cmake-fedora
Version : 2.7.1-3
Description : CMake helper modules for fedora developers
Architecture : any
URL : https://pagure.io/cmake-fedora Licenses : custom:BSD
Groups : None
Provides : None
Depends On : cmake
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 90.94 KiB
Installed Size : 422.00 KiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 17 Apr 2017 06:39:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

AnyFreedom IssueVery HighCritical [cataclysm-dda] uses CC BY-SA for software Closed
100%
Task Description

Cataclysm-DDA contains a problematic license[0][1][2] for software.
Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.

$ pacman -Si cataclysm-dda
Repository : community
Name : cataclysm-dda
Version : 0.C-3
Description : A post-apocalyptic roguelike.
Architecture : x86_64
URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa
Groups : None
Provides : None
Depends On : ncurses lua
Optional Deps : sdl2_image: for tiles

                sdl2_ttf: for tiles
                freetype2: for tiles
                sdl2_mixer: for tiles

Conflicts With : None
Replaces : None
Download Size : 19.33 MiB
Installed Size : 53.32 MiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa

AnySecurity IssueVery HighCritical [midori] unmaintained and unsupportable Closed
100%
Task Description

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:


> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

AnySecurity IssueVery HighCritical [w3m] unmaintained and unsupportable Closed
100%
Task Description

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

AnySecurity IssueVery HighCritical [pam] pam_unix2 is orphaned and dead upstream Closed
100%
Task Description

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

AnySecurity IssueVery HighCritical [wpa_supplicant] vulnerable to KRAK attack Closed
100%
Task Description

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

AnyFreedom IssueVery HighCritical [kodi] contains youtube-dl which runs non-free scripts Closed
100%
Task Description

Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).

Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.

AnySecurity IssueVery HighCritical [dillo] enable IPv6, SSL/TLS and threaded DNS support Closed
100%
Task Description

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

TestingPrivacy IssueVery HighCritical [abiword] remove AltaVista's Babel Fish translator supp ...Closed
100%
Task Description

Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.

...

build() {
  cd $pkgname-$pkgver
  ./configure --prefix=/usr \
    --enable-shared \
    --disable-static \
    --enable-clipart \
    --enable-templates \
    --enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
                      eml epub freetranslation garble gdict gimp goffice grammar \
                      hancom hrtext iscii kword latex loadbindings mathview mht \
                      mif mswrite opendocument openwriter openxml opml ots paint \
                      passepartout pdb pdf presentation psion s5 sdw t602 urldict \
                      wikipedia wmf wml wordperfect wpg xslfo" \
    --enable-introspection
  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

...
AnyPrivacy IssueVery HighCritical [libreoffice*] contains Google API keys Closed
100%
Task Description

Libreoffice contains Google API keys which affects privacy.

AnyFreedom IssueVery HighCritical  [aarch64-linux-gnu-linux-api-headers] compiles using b ...Closed
100%
Task Description

The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1].
This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

AnyFreedom IssueVery HighCritical  [aarch64-linux-gnu-linux-api-headers] compiles using b ...Closed
100%
Task Description

The aarch64-linux-gnu-linux-api-headers package from [community] compiles using the blobbed Linux kernel source[0], at Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1], since this issue is exactly the same as with linux-api-headers.

The solution is to simply compile using Linux-libre sources.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1] https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

AnySecurity IssueVery HighCritical [linux-libre-lts*] Meltdown & Spectre Vulnerability Closed
100%
Task Description

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

AnySecurity IssueVery HighCritical [libressl] add package as OpenSSL replacement and defau ...Closed
100%
Task Description

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]

As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.

AnySecurity IssueVery HighCritical [avahi] blacklist package since it's a zeroconf impleme ...Closed
100%
Task Description

Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]

Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.

AnySecurity IssueVery HighCritical [electrum] JSONRPC vulnerability Closed
100%
Task Description

Our current version is vulnerable

AnyPrivacy IssueVery HighCritical [openrc] Google in init.d and conf.d configuration (ne ...Closed
100%
Task Description
/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.
AnySecurity IssueVery HighCritical [mupdf] multiple security issues Closed
100%
Task Description

Summary

The package mupdf is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6544, CVE-2018-6192, CVE-2018-6187, CVE-2018-5686 and CVE-2018-1000051.

Package Information

$ pacman -Si mupdf
Repositorio               : community
Nombre                    : mupdf
Versión                   : 1.11-1
Descripción               : Lightweight PDF and XPS viewer
Arquitectura              : x86_64
URL                       : http://mupdf.com
Licencias                 : AGPL3
Grupos                    : Nada
Provee                    : Nada
Depende de                : curl  desktop-file-utils  freetype2  harfbuzz  jbig2dec  libjpeg  openjpeg2  openssl
Dependencias opcionales   : Nada
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 18,18 MiB
Tamaño de la instalación  : 33,03 MiB
Encargado                 : Christian Hesse <arch@eworm.de>
Fecha de creación         : mar 11 abr 2017 05:22:41 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

References

AnyReplace RequestVery HighCritical [dnscrypt-proxy] update package to 2.x following backpo ...Closed
100%
Task Description

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

AnyReplace RequestVery HighCritical [kernel-firmware] split out firmware projects from linu ...Closed
100%
Task Description

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

  • sh-elf-gcc (which depends on sh-elf-binutils)
  • sh-elf-newlib
  • arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)
  • xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre


Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

AnyUpdate RequestVery HighCritical [certbot] update package to support ACMEv2 and Wildcard Closed
100%
Task Description

Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.

Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.

These are the actual packages versions from Hyperbola and Arch:

  • certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
  • python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
  • python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
  • python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
  • python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
  • python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
  • python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
  • python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]

NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.

The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:

  • certbot-dns-cloudflare
  • certbot-dns-cloudxns
  • certbot-dns-digitalocean
  • certbot-dns-dnsimple
  • certbot-dns-dnsmadeeasy
  • certbot-dns-luadns
  • certbot-dns-nsone
  • certbot-dns-rfc2136
  • certbot-dns-route53

I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.

[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061
[1] https://packages.debian.org/search?keywords=certbot

AnyBug ReportVery HighCritical [warsow] the package is not compiled from source Closed
100%
Task Description

The package is not compiled from source

AnyFreedom IssueVery HighCritical [warsow-data] the package contains nonfree assets (CC B ...Closed
100%
Task Description

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

AnyFreedom IssueVery HighCritical [torcs-data] contains nonfree car models Closed
100%
Task Description

The package contains nonfree car models

AnyFreedom IssueVery HighCritical [vdrift-data] contains nonfree car and track models Closed
100%
Task Description

The package contains nonfree car and track models

StableBug ReportVery HighCritical [openrc] Cowardly refusing to concatenate a logfile int ...Closed
100%
Task Description

Since the update of openrc to 0.28-11 this morning something fails during boot process as I get the following error message:

Cowardly refusing to concatenate a logfile into itself.
Please change rc_log_path to something other than /var/log/rc.log get rid of this message

But why would I do that?

Besides, once the boot process is finished, I am unable to switch between TTY consoles as I used to using Ctrl-Alt + F1-Fx. I don’t get the login prompt anymore.

AnyFreedom IssueVery HighCritical [warsow] contains Steam support Closed
100%
Task Description

Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.

AnySecurity IssueVery HighCritical [xen] multiple security issues: CVE-2018-10472, CVE-201 ...Closed
100%
Task Description

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

AnySecurity IssueVery HighCritical [wget] - GNU Wget Cookie Injection CVE-2018-0494 Closed
100%
Task Description

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

AnyFreedom IssueVery HighCritical [rust][cargo] trademark agreement affects user freedom Closed
100%
Task Description
Uses that require explicit approval
Distributing a modified version of the Rust programming language or the Cargo package manager and calling it Rust or Cargo requires explicit, written permission from the Rust core team. We will usually allow these uses as long as the modifications are (1) relatively small and (2) very clearly communicated to end-users.
Selling t-shirts, hats, and other artwork or merchandise requires explicit, written permission from the Rust core team. We will usually allow these uses as long as (1) it is clearly communicated that the merchandise is not in any way an official part of the Rust project and (2) it is clearly communicated whether profits benefit the Rust project.
Using the Rust trademarks within another trademark requires written permission from the Rust core team except as described above.

Since it violates the freedom to redistribute without “explicit” approval, this is a freedom issue.

AnyDrop RequestVery HighCritical [cgmanager] unmaintained and unsupportable Closed
100%
Task Description

The CGManager project has been deprecated in favor of using the kernel’s CGroup Namespace or lxcfs’ simulated cgroupfs.

See https://s3hh.wordpress.com/2016/06/18/whither-cgmanager/ for details.

AnyDrop RequestVery HighCritical [pm-utils] unmaintained and unsupportable Closed
100%
Task Description

pm-utils is no longer maintained from a long time . Therefore, it should be removed from repos since Hyperbola contains an amendment about anti-abandonware through its packaging guidelines .

AnySecurity IssueVery HighCritical [networkmanager] CVE-2018-1111: DHCP client script code ...Closed
100%
Task Description

A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.

AnyFreedom IssueVery HighCritical [pacman] uses "Linux" term instead of "GNU/Linux" in it ...Closed
100%
Task Description

The man page of pacman says:

DESCRIPTION
        Pacman is a package management utility that tracks installed packages on a Linux
        system

And I propose to change “Linux system” to “GNU/Linux system”.

AnyFreedom IssueVery HighCritical [xmind] is probably directing users to proprietary soft ...Closed
100%
Task Description

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

AnyFreedom IssueVery HighCritical [luminancehdr] depends on non-free qt5-webengine Closed
100%
Task Description

Please repackage or replace with free software which provides similar functionality such as MacroFusion (which is available in the AUR).

The package cannot be installed. Here is the terminal output:

$ sudo pacman -S luminancehdr
resolving dependencies...
warning: cannot resolve "qt5-webengine", a dependency of "luminancehdr"
:: The following package cannot be upgraded due to unresolvable dependencies:
      luminancehdr

:: Do you want to skip the above package for this upgrade? [y/N] y
looking for conflicting packages...
 there is nothing to do
AnyFreedom IssueVery HighCritical [bluegriffon] contains support to nonfree "Extended Fea ...Closed
100%
Task Description

BlueGriffon contains support to nonfree “Extended Features”

$ pacman -Qi bluegriffon
Name            : bluegriffon
Version         : 2.3.1-2
Description     : The next-generation Web Editor based on the rendering engine of Firefox
Architecture    : x86_64
URL             : http://bluegriffon.org/
Licenses        : MPL  GPL  LGPL
Groups          : None
Provides        : None
Depends On      : alsa-lib  desktop-file-utils  dbus-glib  gtk2  gtk3  hunspell  mozilla-common  nss  libevent  libvpx  libxt  python2  startup-notification
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 120.72 MiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Tue 25 Apr 2017 12:22:30 PM -03
Install Date    : Wed 08 Nov 2017 12:46:24 AM -03
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature
AnyPrivacy IssueVery HighCritical [purple-facebook] only useful with Facebook service Closed
100%
Task Description

Description:

community/purple-facebook 0.9.3-1
    Facebook protocol plugin for libpurple

It is up to maintainers to decide of course. IMHO I would remove this one as it uses proprietary network Facebook, exclusively, and even mentioning the word in the package.

See:
https://www.gnu.org/distros/free-system-distribution-guidelines.html

A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so.

AnyPrivacy IssueVery HighCritical [cutegram] only useful with Telegram service Closed
100%
Task Description

Description:
Cutegram is a Telegram client. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si cutegram
Repository      : community
Name            : cutegram
Version         : 2.7.1-3
Description     : A different telegram client from Aseman team
Architecture    : x86_64
URL             : http://aseman.co/en/products/cutegram/
Licenses        : GPL
Groups          : None
Provides        : cutegram
Depends On      : qt5-imageformats  qt5-webkit  telegramqml>=0.9.1  libqtelegram-ae>=3:6.1
Optional Deps   : gst-plugins-bad: audio support
                  gst-plugins-good: audio and notification sound
Conflicts With  : cutegram-git  sigram-git  sigram  cutegram
Replaces        : cutegram-cn
Download Size   : 12.03 MiB
Installed Size  : 17.07 MiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:59:04 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyPrivacy IssueVery HighCritical [libqtelegram-ae] only useful with Telegram service Closed
100%
Task Description

Description:
libqtelegram-ae is Telegram library written in Qt based on telegram-cli code. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si libqtelegram-ae
Repository      : community
Name            : libqtelegram-ae
Version         : 3:6.1-4
Description     : Telegram library written in Qt based on telegram-cli code
Architecture    : x86_64
URL             : https://launchpad.net/libqtelegram
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : qt5-base  qt5-multimedia
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 431.27 KiB
Installed Size  : 1999.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Wed 05 Apr 2017 07:16:39 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyPrivacy IssueVery HighCritical [telegram-qt] only useful with Telegram service Closed
100%
Task Description

Description:
TelegramQt is a Telegram binding for Qt. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegram-qt
Repository      : community
Name            : telegram-qt
Version         : 0.1.0-2
Description     : Qt bindings for the Telegram protocol
Architecture    : x86_64
URL             : https://github.com/Kaffeine/telegram-qt
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-base
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 204.80 KiB
Installed Size  : 747.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 18 Feb 2017 06:49:55 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyPrivacy IssueVery HighCritical [telegramqml] only useful with Telegram service Closed
100%
Task Description

Description:
TelegramQML are Telegram API tools for QtQml and Qml. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegramqml
Repository      : community
Name            : telegramqml
Version         : 0.9.2-2
Description     : Telegram API tools for QtQml and Qml
Architecture    : x86_64
URL             : https://github.com/Aseman-Land/TelegramQML
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-webkit  qt5-imageformats  qt5-graphicaleffects  qt5-quickcontrols  libqtelegram-ae
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 401.03 KiB
Installed Size  : 1905.00 KiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:46:59 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyPrivacy IssueVery HighCritical [telepathy-morse] only useful with Telegram service Closed
100%
Task Description

Description:
Telepathy-Morse is a Qt-based Telegram connection manager for the Telepathy framework. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telepathy-morse
Repository      : community
Name            : telepathy-morse
Version         : 0.1.0-1
Description     : Telepathy Connection Manager for the Telegram network
Architecture    : x86_64
URL             : https://github.com/TelepathyQt/telepathy-morse
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : telepathy-qt5  telegram-qt
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 90.80 KiB
Installed Size  : 351.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 16 Sep 2016 11:49:33 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyPrivacy IssueVery HighCritical [telepathy-kde-accounts-kcm] recommends Telepathy-Morse ...Closed
100%
Task Description

Description:
telepathy-kde-accounts-kcm contains the telepathy-morse package in its optdepends array. It should be removed since Telepathy-Morse provides support for Telegram, a nonfree server-side service that requires accounts tied to telephone numbers.

Additional info:

$ pacman -Si telepathy-kde-accounts-kcm
Repository      : extra
Name            : telepathy-kde-accounts-kcm
Version         : 17.04.0-1
Description     : KCM Module for configuring Telepathy Instant Messaging Accounts
Architecture    : x86_64
URL             : https://community.kde.org/Real-Time_Communication_and_Collaboration
Licenses        : GPL
Groups          : kde-applications  kdenetwork  telepathy-kde
Provides        : None
Depends On      : telepathy-qt  kaccounts-providers
Optional Deps   : telepathy-gabble: XMPP/Jabber accounts support
                  telepathy-haze: account types supported by Pidgin/libpurple
                  telepathy-morse: Telegram accounts support
                  telepathy-salut: link-local XMPP account support
Conflicts With  : None
Replaces        : None
Download Size   : 334.86 KiB
Installed Size  : 2111.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 15 Apr 2017 06:47:59 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature
AnyBug ReportVery HighCritical [grub] remove the "placeholder" entry in /etc/grub.d/20 ...Closed
100%
Task Description

Description:

  • Remove the “placeholder” entry in /etc/grub.d/20_linux_xen since it has been removed from Linux kernel.

Additional info:

  • grub 2:2.02-1.hyperbola3
/etc/grub.d/20_linux_xen
----
-       module  ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args}
+       module  ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
----
$ pacman -Si grub
Repository      : core
Name            : grub
Version         : 2:2.02-1.hyperbola3
Description     : GNU GRand Unified Bootloader (2), (Hyperbola rebranded)
Architecture    : x86_64
URL             : https://www.gnu.org/software/grub/
Licenses        : GPL3
Groups          : None
Provides        : grub-common  grub-bios  grub-emu  grub-efi-x86_64
Depends On      : sh  xz  gettext  device-mapper
Optional Deps   : freetype2: For grub-mkfont usage
                  fuse: For grub-mount usage
                  dosfstools: For grub-mkrescue FAT FS and EFI support
                  efibootmgr: For grub-install EFI support
                  libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue
                  os-prober: To detect other OSes when generating grub.cfg in BIOS systems
                  mtools: For grub-mkrescue FAT FS and EFI support
                  xen: For Xen Dom0 support
                  xen-docs: For Xen documentation
Conflicts With  : grub-common  grub-bios  grub-emu  grub-efi-x86_64  grub-legacy
Replaces        : grub-common  grub-bios  grub-emu  grub-efi-x86_64
Download Size   : 6.17 MiB
Installed Size  : 39.31 MiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Mon 20 Nov 2017 06:35:41 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

  • Turn on machine and then check Linux-libre kernel booting
AnyBug ReportVery HighCritical [openrc] rename "chroot-nspawn" keyword to "chroot+unsh ...Closed
100%
Task Description

Description:

Rename "chroot-nspawn" keyword to "chroot+unshare" one
because"chroot+unshare" subsystem (chroot and unshare command)
is more precise than "chroot-nspawn" (systemd-nspawn
compatibility script) subsystem.

The files with "chroot-nspawn" keyword are:
* /etc/init.d/binfmt
* /etc/init.d/bootmisc (as SYSTEMD-NSPAWN)
* /etc/init.d/consolefont
* /etc/init.d/devfs
* /etc/init.d/dmesg
* /etc/init.d/fsck
* /etc/init.d/hostname
* /etc/init.d/hwclock
* /etc/init.d/keymaps
* /etc/init.d/localmount
* /etc/init.d/loopback
* /etc/init.d/mtab
* /etc/init.d/modules
* /etc/init.d/modules-load
* /etc/init.d/mount-ro
* /etc/init.d/net-online
* /etc/init.d/netmount
* /etc/init.d/numlock
* /etc/init.d/procfs
* /etc/init.d/root
* /etc/init.d/swap
* /etc/init.d/swclock
* /etc/init.d/sysctl
* /etc/init.d/sysfs
* /etc/init.d/termencoding
* /etc/init.d/urandom
Note:
  chroot: run a command with special root directory
  unshare: isolate the command in a different "Linux namespace"

Additional info:

openrc 0.28-14

/etc/rc.conf


 # ""               - nothing special
 # "docker"         - Docker container manager (GNU/Linux)
 # "jail"           - Jail (DragonflyBSD or FreeBSD)
 # "lxc"            - Linux Containers
 # "openvz"         - Linux OpenVZ
 # "prefix"         - Prefix
 # "rkt"            - CoreOS container management system (GNU/Linux)
 # "subhurd"        - Hurd subhurds (to be checked)
-# "chroot-nspawn"  - Container created by chroot-nspawn
+# "chroot"         - Chroot container (to be checked)
+# "chroot+unshare" - Chroot container using unshare command (GNU/Linux)
 # "uml"            - Usermode Linux
 # "vserver"        - Linux vserver
-# "xen0"           - Xen0 Domain (GNU/Linux and NetBSD)
-# "xenU"           - XenU Domain (GNU/Linux and NetBSD)
+# "xen0"           - Xen0 Domain (GNU/HyperBK, GNU/Linux, FreeBSD and NetBSD)
+# "xenU"           - XenU Domain (GNU/Hurd, GNU/HyperBK, GNU/Linux, FreeBSD, NetBSD and OpenBSD)

$ pacman -Si openrc
Repository      : core
Name            : openrc
Version         : 0.28-14
Description     : A dependency based init system that works with the system provided init program
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Project:OpenRC
Licenses        : BSD2
Groups          : None
Provides        : None
Depends On      : psmisc  pam
Optional Deps   : netifrc: network interface management scripts
                  networkmanager: network connection manager and user applications
Conflicts With  : None
Replaces        : None
Download Size   : 196.71 KiB
Installed Size  : 1767.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Mon 07 May 2018 03:54:42 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

Run OpenRC init
AnyBug ReportVery HighCritical [eudev] rename "systemd-nspawn" keyword to "chroot+unsh ...Closed
100%
Task Description

Description:

Rename "systemd-nspawn" keyword to "chroot+unshare" one.

The files with "systemd-nspawn" keyword are:
* /etc/init.d/udev
* /etc/init.d/udev-settle
* /etc/init.d/udev-trigger

Additional info:

eudev 3.2.5-1
$ pacman -Si eudev
Repository      : core
Name            : eudev
Version         : 3.2.5-1
Description     : The userspace dev tools (udev) forked by Gentoo, with OpenRC support
Architecture    : x86_64
URL             : https://wiki.gentoo.org/wiki/Project:Eudev
Licenses        : GPL
Groups          : None
Provides        : udev
Depends On      : libeudev  kbd  kmod  hwids  util-linux
Optional Deps   : None
Conflicts With  : udev
Replaces        : udev
Download Size   : 932.42 KiB
Installed Size  : 7069.00 KiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Thu 07 Dec 2017 11:45:57 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

Run OpenRC init
Showing tasks 1 - 50 of 1350 Page 1 of 271 - 2 - 3 - 4 - 5 - Last >>

Available keyboard shortcuts

Tasklist

Task Details

Task Editing