Packages

Since certbot v0.22.0[0] there’s support for ACMEv2 and Wildcard. This is an important update since wildcard SSL certificates can make server security and maintaince easier by supporting all subdomains of a base domain.

Debian Stretch (stable) uses certbot 0.10.2 but there’s 0.23.0 in stretch-backports repository[1]. So I’d like to request an update or a backport of certbot and its dependencies.

These are the actual packages versions from Hyperbola and Arch:

• certbot (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
• python-acme (0.23.0-1) / Hyperbola version ⇒ (0.14.0-1) [x]
• python-configargparse (0.12.0-1) / Hyperbola version ⇒ (0.11.0-2) [=]
• python-parsedatetime (2.4-1) / Hyperbola version ⇒ (2.3-1) [x]
• python-pbr (4.0.2-1) / Hyperbola version ⇒ (3.0.0-1) [<]
• python-pytz (2018.4-1) / Hyperbola version ⇒ (2017.2-1) [<]
• python-zope-component (4.4.1-1) / Hyperbola version ⇒ (4.3.0-2) [=]
• python-zope-event (4.3.0-1) / Hyperbola version ⇒ (4.2.0-2) [=]

NOTE: packages marked with an “[x]” means that the pkg has Debian Stretch backports of the proposed updated version. The “[=]” means that Debian has no backports but uses the same version of the pkg as Hyperbola. The [<] means the Debian Version lower than Hyperbola’s Version.

The packages that may get the update should be only the ones marked with an [x], if we follow the Debian Stretch devel. If certbot gets the update, then the following Arch packages need to be added for obtaining wildcard certificates throught the DNS challenge:

• certbot-dns-cloudflare
• certbot-dns-cloudxns
• certbot-dns-digitalocean
• certbot-dns-dnsimple
• certbot-dns-dnsmadeeasy
• certbot-dns-luadns
• certbot-dns-nsone
• certbot-dns-rfc2136
• certbot-dns-route53

I ommited certbot-dns-google since it’s not compatible with the Hyperbola Packaging Guidelines.

[0] https://community.letsencrypt.org/t/certbot-0-22-0-release-with-acmev2-and-wildcard-support/55061
[1] https://packages.debian.org/search?keywords=certbot

The package is not compiled from source

The package contains nonfree assets:
data0_000_nonfree_21.pk3
data0_000_nonfree_21pure.pk3
tex_000_nonfree.pk3

The package contains nonfree car models

The package contains nonfree car and track models

Warsow contains a library called steamlib which is built from the source. It’s useful only for Steam support which is nonfree software.

http://openwall.com/lists/oss-security/2018/04/30/1 http://openwall.com/lists/oss-security/2018/04/30/1 An attacker supplying a crafted CDROM image can read any file (or
device node) on the dom0 filesystem with the permissions of the qemu
devicemodel process. (The virtual CDROM device is read-only, so
no data can be written.)

http://openwall.com/lists/oss-security/2018/04/30/2 A malicious or buggy guest may cause a hypervisor crash, resulting in
a Denial of Service (DoS) affecting the entire host.

http://openwall.com/lists/oss-security/2018/05/11/1 A malicious unprivileged device model can cause a Denial of Service
(DoS) affecting the entire host. Specifically, it may prevent use of a
physical CPU for an indeterminate period of time.

http://openwall.com/lists/oss-security/2018/05/11/2

[critical]
A malicious or buggy HVM guest may cause a hypervisor crash, resulting
in a Denial of Service (DoS) affecting the entire host. Privilege
escalation, or information leaks, cannot be excluded.

Patches provided by upstream.

https://security-tracker.debian.org/tracker/CVE-2018-1088

http://openwall.com/lists/oss-security/2018/04/18/1

https://bugs.debian.org/896128

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Upstream patches: https://review.gluster.org/#/c/19899/1..2

Fixed in: https://github.com/gluster/glusterfs/releases/tag/v4.0.2

An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
http://openwall.com/lists/oss-security/2018/05/06/1

Fixed in GNU Wget 1.19.5 or later.

Uses that require explicit approval
Distributing a modified version of the Rust programming language or the Cargo package manager and calling it Rust or Cargo requires explicit, written permission from the Rust core team. We will usually allow these uses as long as the modifications are (1) relatively small and (2) very clearly communicated to end-users.
Selling t-shirts, hats, and other artwork or merchandise requires explicit, written permission from the Rust core team. We will usually allow these uses as long as (1) it is clearly communicated that the merchandise is not in any way an official part of the Rust project and (2) it is clearly communicated whether profits benefit the Rust project.
Using the Rust trademarks within another trademark requires written permission from the Rust core team except as described above.

Since it violates the freedom to redistribute without “explicit” approval, this is a freedom issue.

The CGManager project has been deprecated in favor of using the kernel’s CGroup Namespace or lxcfs’ simulated cgroupfs.

See https://s3hh.wordpress.com/2016/06/18/whither-cgmanager/ for details.

pm-utils is no longer maintained from a long time . Therefore, it should be removed from repos since Hyperbola contains an amendment about anti-abandonware through its packaging guidelines .

A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.

The man page of pacman says:

DESCRIPTION
        Pacman is a package management utility that tracks installed packages on a Linux
        system

And I propose to change “Linux system” to “GNU/Linux system”.

xmind when installed is showing that “this version is not licensed”, so that cannot be right. Even though there is GPL license on Github, that vague information in the software can and is wrongly understood:

Further it is asking for license key to get the “Pro” version.

Thus xmind is pointing to proprietary software.

That means xmind shall be removed from Hyperbola immediately as such as it is now cannot be in the fully free GNU distribution.

Please repackage or replace with free software which provides similar functionality such as MacroFusion (which is available in the AUR).

The package cannot be installed. Here is the terminal output:

$ sudo pacman -S luminancehdr
resolving dependencies...
warning: cannot resolve "qt5-webengine", a dependency of "luminancehdr"
:: The following package cannot be upgraded due to unresolvable dependencies:
      luminancehdr

:: Do you want to skip the above package for this upgrade? [y/N] y
looking for conflicting packages...
 there is nothing to do

BlueGriffon contains support to nonfree “Extended Features”

$ pacman -Qi bluegriffon
Name            : bluegriffon
Version         : 2.3.1-2
Description     : The next-generation Web Editor based on the rendering engine of Firefox
Architecture    : x86_64
URL             : http://bluegriffon.org/
Licenses        : MPL  GPL  LGPL
Groups          : None
Provides        : None
Depends On      : alsa-lib  desktop-file-utils  dbus-glib  gtk2  gtk3  hunspell  mozilla-common  nss  libevent  libvpx  libxt  python2  startup-notification
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 120.72 MiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Tue 25 Apr 2017 12:22:30 PM -03
Install Date    : Wed 08 Nov 2017 12:46:24 AM -03
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Description:

community/purple-facebook 0.9.3-1
    Facebook protocol plugin for libpurple

It is up to maintainers to decide of course. IMHO I would remove this one as it uses proprietary network Facebook, exclusively, and even mentioning the word in the package.

See:
https://www.gnu.org/distros/free-system-distribution-guidelines.html

A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so.

Description:
Cutegram is a Telegram client. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si cutegram
Repository      : community
Name            : cutegram
Version         : 2.7.1-3
Description     : A different telegram client from Aseman team
Architecture    : x86_64
URL             : http://aseman.co/en/products/cutegram/
Licenses        : GPL
Groups          : None
Provides        : cutegram
Depends On      : qt5-imageformats  qt5-webkit  telegramqml>=0.9.1  libqtelegram-ae>=3:6.1
Optional Deps   : gst-plugins-bad: audio support
                  gst-plugins-good: audio and notification sound
Conflicts With  : cutegram-git  sigram-git  sigram  cutegram
Replaces        : cutegram-cn
Download Size   : 12.03 MiB
Installed Size  : 17.07 MiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:59:04 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
libqtelegram-ae is Telegram library written in Qt based on telegram-cli code. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si libqtelegram-ae
Repository      : community
Name            : libqtelegram-ae
Version         : 3:6.1-4
Description     : Telegram library written in Qt based on telegram-cli code
Architecture    : x86_64
URL             : https://launchpad.net/libqtelegram
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : qt5-base  qt5-multimedia
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 431.27 KiB
Installed Size  : 1999.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Wed 05 Apr 2017 07:16:39 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQt is a Telegram binding for Qt. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegram-qt
Repository      : community
Name            : telegram-qt
Version         : 0.1.0-2
Description     : Qt bindings for the Telegram protocol
Architecture    : x86_64
URL             : https://github.com/Kaffeine/telegram-qt
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-base
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 204.80 KiB
Installed Size  : 747.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 18 Feb 2017 06:49:55 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQML are Telegram API tools for QtQml and Qml. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegramqml
Repository      : community
Name            : telegramqml
Version         : 0.9.2-2
Description     : Telegram API tools for QtQml and Qml
Architecture    : x86_64
URL             : https://github.com/Aseman-Land/TelegramQML
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-webkit  qt5-imageformats  qt5-graphicaleffects  qt5-quickcontrols  libqtelegram-ae
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 401.03 KiB
Installed Size  : 1905.00 KiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:46:59 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
Telepathy-Morse is a Qt-based Telegram connection manager for the Telepathy framework. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telepathy-morse
Repository      : community
Name            : telepathy-morse
Version         : 0.1.0-1
Description     : Telepathy Connection Manager for the Telegram network
Architecture    : x86_64
URL             : https://github.com/TelepathyQt/telepathy-morse
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : telepathy-qt5  telegram-qt
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 90.80 KiB
Installed Size  : 351.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 16 Sep 2016 11:49:33 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
telepathy-kde-accounts-kcm contains the telepathy-morse package in its optdepends array. It should be removed since Telepathy-Morse provides support for Telegram, a nonfree server-side service that requires accounts tied to telephone numbers.

Additional info:

$ pacman -Si telepathy-kde-accounts-kcm
Repository      : extra
Name            : telepathy-kde-accounts-kcm
Version         : 17.04.0-1
Description     : KCM Module for configuring Telepathy Instant Messaging Accounts
Architecture    : x86_64
URL             : https://community.kde.org/Real-Time_Communication_and_Collaboration
Licenses        : GPL
Groups          : kde-applications  kdenetwork  telepathy-kde
Provides        : None
Depends On      : telepathy-qt  kaccounts-providers
Optional Deps   : telepathy-gabble: XMPP/Jabber accounts support
                  telepathy-haze: account types supported by Pidgin/libpurple
                  telepathy-morse: Telegram accounts support
                  telepathy-salut: link-local XMPP account support
Conflicts With  : None
Replaces        : None
Download Size   : 334.86 KiB
Installed Size  : 2111.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 15 Apr 2017 06:47:59 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
The light-locker package returns error while tries load shared library libsystemd.so.0.

Additional info:
* package version(s): light-locker-1.6.0-3

Steps to reproduce:

1. Install the package:

  $ sudo pacman -S light-locker
  

1. Run it:

  $ light-locker
  

1. Then, you get the following message:

  light-locker: error while loading shared libraries: libsystemd.so.0: cannot open shared object file: No such file or directory