|
Any | Freedom Issue | Very High | Critical | [supertuxkart] remove nonfree Ubuntu Font Family fonts | Closed | |
Task Description
In version 0.9.3 and 1.0, there are several added and changed (new or existing) features and functions, and fixed bug, crash and other issues.
But the critical part is contains non-libre/free Ubuntu font files over licensing issue, according to the issue: https://github.com/supertuxkart/stk-code/issues/2570
See those two sections in the version history releases for more details: https://github.com/supertuxkart/stk-code/blob/master/CHANGELOG.md
|
|
Any | Freedom Issue | Very Low | Critical | [flatpak] Access to proprietary applications | Closed | |
Task Description
Description:
Additional info: * 0.9.10-2.hyperbola2
Steps to reproduce: Flatpak gives access to interesting features for the deployment of applications, but in fact it also gives access to proprietary applications like Skype (https://flathub.org/apps/details/com.skype.Client), Steam (https://flathub.org/apps/details/com.valvesoftware.Steam) and many more. So it should be checked if this should be part of the repositories within an open, libre distribution. In my point of view this violates the freedom of users, because there can be not tolerance about intolerance even regarding this.
|
|
Any | Bug Report | Very Low | Critical | [msmtp] needs libressl | Closed | |
Task Description
Description:
I may be wrong for I did not migrate to 0.3 as of yet, but I think that `msmtp` has been forgotten and needs to be recompiled with `libressl`.
Please remove this report if I am mistaken.
|
|
Any | Bug Report | Very High | Critical | [cups] [cups-filters] ServerBin directory inconsistency | Closed | |
Task Description
As the default path of the ServerBin directory is now /usr/libexec/bin: 1. cups-files.conf should be modified/adapted accordingly. 2. The contents of /usr/lib/cups which is currently owned by cups-filters, cups-pdf foomatic-db-engine and smbclient should be moved to /usr/libexec/cups.
As it is, cups doesn’t work in v0.3.
|
|
Any | Freedom Issue | Very High | Critical | [clementine] using non-free services and interfaces | Closed | |
Task Description
The audioplayer clementine uses interfaces for non-free services like Dropbox, Google Drive, OneDrive, Subsonic and VK.com regarding storage and accessing files. So of course the software is licensed under the GPL, therefore Copyleft and free, libre software in the first place, but is also using anti-features with those interfaces to mentioned unfree services later on.
So the proposal would be: Creating a fork with removing those interfaces or otherwise removal of the whole package.
|
|
Any | Freedom Issue | Very High | Critical | [gens] contains nonfree Starscream code | Closed | |
Task Description
Gens contains nonfree Starscream code
$ pacman -Si gens
Repository : multilib
Name : gens
Version : 2.15.5-10
Description : A Sega Genesis / Sega CD / Sega 32X emulator
Architecture : x86_64
URL : http://gens.sourceforge.net
Licenses : GPL
Groups : None
Provides : None
Depends On : lib32-gtk2 lib32-sdl
Optional Deps : lib32-alsa-plugins: Sound support for PulseAudio
lib32-libpulse: Sound support for PulseAudio
Conflicts With : None
Replaces : None
Download Size : 359.08 KiB
Installed Size : 1948.00 KiB
Packager : Maxime Gauduin <alucryd@gmail.com>
Build Date : Wed 21 Aug 2013 03:24:58 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Starscream License:
-----------------------------------------------------------------------------
Starscream 680x0 emulation library Custom version S0.26d
Copyright 1997, 1998, 1999 Neill Corlett
Modified by Stéphane Dallongeville
Used for the sub 68000 CPU emulation in Gens.
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0. Terms of Use
-----------------------------------------------------------------------------
"Starscream" refers to the following files:
* STAR.C
* STARCPU.H
* CPUDEBUG.C
* CPUDEBUG.H
* STARDOC.TXT
* any object file or executable compiled from the above
* any source code generated from STAR.C, or object file assembled from such
code
Starscream may be distributed freely in unmodified form, as long as this
documentation is included.
No money, goods, or services may be charged or solicited for Starscream, or
any emulator or other program which includes Starscream, in whole or in part.
Using Starscream in a shareware or commercial application is forbidden.
Contact Neill Corlett (corlett@elwha.nrrc.ncsu.edu) if you'd like to license
Starscream for commercial use.
Any program which uses Starscream must include the following credit text, in
its documentation or in the program itself:
"Starscream 680x0 emulation library by Neill Corlett
(corlett@elwha.nrrc.ncsu.edu)"
|
|
Any | Freedom Issue | Very High | Critical | [gens-gs] contains nonfree Starscream code and the Poor ... | Closed | |
Task Description
Gens/GS contains nonfree: * Starscream code * The Poorman’s Sega 32x BIOS files (on the source code)
$ pacman -Si gens-gs
Repository : multilib
Name : gens-gs
Version : 2.16.7-6
Description : An emulator of Sega Genesis, Sega CD and 32X, combining features from various forks of Gens
Architecture : x86_64
URL : http://segaretro.org/Gens/GS
Licenses : GPL
Groups : None
Provides : gens
Depends On : lib32-gtk2 lib32-sdl
Optional Deps : lib32-alsa-plugins: ALSA sound support
lib32-libcanberra: Hide a silly warning
lib32-libpulse: PulseAudio sound support
Conflicts With : gens
Replaces : None
Download Size : 2047.36 KiB
Installed Size : 4815.00 KiB
Packager : Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
Build Date : Mon 07 Dec 2015 10:23:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
Starscream License:
-----------------------------------------------------------------------------
Starscream 680x0 emulation library Custom version M0.26d
Copyright 1997, 1998, 1999 Neill Corlett
Modified by Stéphane Dallongeville
Used for the main 68000 CPU emulation in Gens.
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0. Terms of Use
-----------------------------------------------------------------------------
"Starscream" refers to the following files:
* STAR.C
* STARCPU.H
* CPUDEBUG.C
* CPUDEBUG.H
* STARDOC.TXT
* any object file or executable compiled from the above
* any source code generated from STAR.C, or object file assembled from such
code
Starscream may be distributed freely in unmodified form, as long as this
documentation is included.
No money, goods, or services may be charged or solicited for Starscream, or
any emulator or other program which includes Starscream, in whole or in part.
Using Starscream in a shareware or commercial application is forbidden.
Contact Neill Corlett (corlett@elwha.nrrc.ncsu.edu) if you'd like to license
Starscream for commercial use.
Any program which uses Starscream must include the following credit text, in
its documentation or in the program itself:
"Starscream 680x0 emulation library by Neill Corlett
(corlett@elwha.nrrc.ncsu.edu)"
The Poorman’s Sega 32x BIOS License:
The Poorman's Sega 32x BIOS files
By Devster (Joseph Norman)
http://devster.retrodev.com/
Exclaimer
---------
; Feel free to use this code, recompile the code, redistribute the unmodified code,
; modify it with your own name on it and redistribute it as yours if you
; so wish to do so without getting caught looking stupid, but you may not sell it for
; cash monies, or for in exchange of hot prostitutes, nor include it with any other
; redistributable software packages without consent from DevSter. This code is IS AS,
; which is latin for jibber jabber, to DevSter and the holder of this code, means
; there are no other further attatchments, absolutely no guarantees in it "working",
; comes with no lifetime waranty, et al, and you will gain nothing more than to play
; your super cool Sega Genesis 32X (names reserved to their rightful owners) without
; having to resort to using the actual copyrighted bios files. Let it further be noted
; that the use of the word "code" in this exclaimer refers to both the source code, and
; the pre-compiled code that was distributed.
|
|
Any | Freedom Issue | Very High | Critical | [dgen-sdl] contains nonfree CZ80, dZ80, DrZ80, Multi-Z8 ... | Closed | |
Task Description
DGen/SDL contains nonfree: * CZ80 * dZ80 * DrZ80 * Multi-Z80 * Musashi v3.3 * Starscream
$ pacman -Si dgen-sdl
Repository : community
Name : dgen-sdl
Version : 1.33-2
Description : An emulator for Sega Genesis/Mega Drive systems ported to SDL
Architecture : x86_64
URL : http://dgen.sourceforge.net
Licenses : BSD
Groups : None
Provides : None
Depends On : sdl libgl libarchive
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 420.95 KiB
Installed Size : 2000.00 KiB
Packager : Allan McRae <allan@archlinux.org>
Build Date : Sun 06 Dec 2015 12:19:03 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature
CZ80 License:
************************************************
* *
* CZ80 (Z80 CPU emulator) version 0.91 *
* Compiled with Dev-C++ *
* Copyright 2004-2005 Stéphane Dallongeville *
* *
************************************************
CZ80 is a Z80 CPU emulator, priorities were given to :
- code size
- speed
- accuracy
- portablity
It supports almost all undocumented opcodes and flags.
The emulator can be freely distribued and used for any non commercial
project as long you don't forget to credit me somewhere :)
If you want some support about the CZ80, you can contact me on
the Gens forum (http://gens.consolemul.com then go to the forum).
dZ80 License:
dZ80 Version 2.0 Source Code
Copyright 1996-2002 Mark Incley.
E-mail: dz80@inkland.org
http://www.inkland.org
Serious Bit
-----------
I have made this source code available so that it may be compiled on platforms
other than MS-DOS and Windows. You may compile it and distribute the resulting
executable only if no monies are charged for it.
** YOU ARE NOT ALLOWED TO DISTRIBUTE THIS SOFTWARE COMMERICIALLY **
Not So Serious Bit
------------------
If you make any feature modifications to the dZ80 source code, please let me
know, so that I can make them to my source too. I didn't intend for dZ80 to
grow into an all singing and dancin' disassembler, but, if features are added,
I would like to add them to my base version too.
DrZ80 License:
___________________________________________________________________________
DrZ80 (c) Copyright 2004 Reesy. Free for non-commercial use
Reesy's e-mail: drsms_reesy(atsymbol)yahoo.co.uk
Replace (atsymbol) with @
___________________________________________________________________________
Multi-Z80 License:
Multi-Z80 32 Bit emulator
Copyright 1996, 1997, 1998, 1999, 2000 - Neil Bradley, All rights reserved
MZ80 License agreement
-----------------------
(MZ80 Refers to both the assembly code emitted by makez80.c and makez80.c
itself)
MZ80 May be distributed in unmodified form to any medium.
MZ80 May not be sold, or sold as a part of a commercial package without
the express written permission of Neil Bradley (neil@synthcom.com). This
includes shareware.
Modified versions of MZ80 may not be publicly redistributed without author
approval (neil@synthcom.com). This includes distributing via a publicly
accessible LAN. You may make your own source modifications and distribute
MZ80 in source or object form, but if you make modifications to MZ80
then it should be noted in the top as a comment in makez80.c.
MZ80 Licensing for commercial applications is available. Please email
neil@synthcom.com for details.
Synthcom Systems, Inc, and Neil Bradley will not be held responsible for
any damage done by the use of MZ80. It is purely "as-is".
If you use MZ80 in a freeware application, credit in the following text:
"Multi-Z80 CPU emulator by Neil Bradley (neil@synthcom.com)"
must accompany the freeware application within the application itself or
in the documentation.
Legal stuff aside:
If you find problems with MZ80, please email the author so they can get
resolved. If you find a bug and fix it, please also email the author so
that those bug fixes can be propogated to the installed base of MZ80
users. If you find performance improvements or problems with MZ80, please
email the author with your changes/suggestions and they will be rolled in
with subsequent releases of MZ80.
The whole idea of this emulator is to have the fastest available 32 bit
Multi-Z80 emulator for the x86, giving maximum performance.
Musashi v3.3 License:
MUSASHI
=======
Version 3.3
A portable Motorola M680x0 processor emulation engine.
Copyright 1998-2001 Karl Stenerud. All rights reserved.
LICENSE AND COPYRIGHT:
---------------------
The Musashi M680x0 emulator is copyright 1998-2001 Karl Stenerud.
The source code included in this archive is provided AS-IS, free for any
non-commercial purpose.
If you build a program using this core, please give credit to the author.
If you wish to use this core in a commercial environment, please contact
the author to discuss commercial licensing.
Starscream License:
-----------------------------------------------------------------------------
Starscream 680x0 emulation library version 0.26d
Copyright 1997, 1998, 1999 Neill Corlett
Modified by Stéphane Dallongeville
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
0. Terms of Use
-----------------------------------------------------------------------------
"Starscream" refers to the following files:
* STAR.C
* STARCPU.H
* CPUDEBUG.C
* CPUDEBUG.H
* STARDOC.TXT
* any object file or executable compiled from the above
* any source code generated from STAR.C, or object file assembled from such
code
Starscream may be distributed freely in unmodified form, as long as this
documentation is included.
No money, goods, or services may be charged or solicited for Starscream, or
any emulator or other program which includes Starscream, in whole or in part.
Using Starscream in a shareware or commercial application is forbidden.
Contact Neill Corlett (corlett@elwha.nrrc.ncsu.edu) if you'd like to license
Starscream for commercial use.
Any program which uses Starscream must include the following credit text, in
its documentation or in the program itself:
"Starscream 680x0 emulation library by Neill Corlett
(corlett@elwha.nrrc.ncsu.edu)"
|
|
Any | Bug Report | Very Low | Critical | [system-config-printer] Impossible to print some pdfs ( ... | Closed | |
Task Description
Hello,
I’m unable to print some pdfs on my Hyperbola 3.0 system. Some background :
cups is installed, service enabled and working system-config-printer is installed and my printer has been correctly added.
I can print most pdfs and text files but recently with a pdf, it fails to print it.* And system-config-printer returned the following error (see capture) :
Printer "EPSON XP-620-Series" requires the '/usr/lib/cups/filters/epson-escpr-wrapper' but it is not currently installed.
Currently, “epson-escpr-wrapper” is installed but it is in :
/usr/libexec/cups/filters/epson-escpr-wrapper
Looking at source code of system-config-printer, it expects that wrapper to be installed in “/usr/lib/” so I tried to symlink that “epson-escpr-wrapper” to “/usr/lib/cups/filters” but it doesn’t work..
*With a Debian system and the exact same configuration, the “problematic” pdf prints just fine so it is not an issue with the pdf.
|
|
Any | Freedom Issue | Very Low | Critical | [conky] Some serious issues | Closed | |
Task Description
I’m writing here about the package Conky. It is the useful widget of system monitor into your desktop, but there are some serious issues:
Config variables
distribution outputs the string “Arch Linux” instead of “Hyperbola GNU/Linux-libre”.
eve requires users to use API for non-libre/free video game EVE Online, and should be removed.
All Beep Media Player (BMPx) related variables (including bmpx_album, bmpx_artist, bmpx_bitrate, bmpx_title, bmpx_track and bmpx_uri) are obselete and useless, and should be removed because the package BMPx isn’t present on Arch and Hyperbola official repositories but Arch User Repository (AUR).
[For Milky Way version 0.4.x only] All PulseAudio related variables (including if_pa_sink_muted, pa_sink_volume, pa_sink_volumebar, pa_sink_description, pa_card_name and pa_card_active_profile) are no longer used, and should be removed due replaced the default audio server with sndio.
Manual
|
|
Any | Security Issue | Very High | Critical | [libarchive] CVE-2019-18408 | Closed | |
Task Description
https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/
https://security-tracker.debian.org/tracker/CVE-2019-18408
|
|
Any | Security Issue | Medium | Critical | [libjpeg-turbo] CVE-2019-2201 | Closed | |
Task Description
In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation
https://security-tracker.debian.org/tracker/CVE-2019-2201
Patch: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
|
|
Any | Privacy Issue | Very Low | Critical | [bleachbit] needs to be adapted to UXP applications | Closed | |
Task Description
The current version of BleachBit needs to be adapted so it can clean the new .cache/hyperbola/ directory.
|
|
Any | Security Issue | Very Low | Critical | [unbound] Multiple CVEs | Closed | |
Task Description
https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
[Critical] https://security-tracker.debian.org/tracker/CVE-2019-18934
|
|
Any | Security Issue | Very Low | Critical | [opensmtpd] CVE-2020-8794 | Closed | |
Task Description
Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/
Qualys Security Advisory
LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)
Summary Analysis ... Acknowledgments
We discovered a vulnerability in OpenSMTPD, OpenBSD’s mail server. This vulnerability, an out-of-bounds read introduced in December 2015 (commit 80c6a60c, “when peer outputs a multi-line response ...”), is exploitable remotely and leads to the execution of arbitrary shell commands: either as root, after May 2018 (commit a8e22235, “switch smtpd to new grammar”); or as any non-root user, before May 2018.
Because this vulnerability resides in OpenSMTPD’s client-side code (which delivers mail to remote SMTP servers), we must consider two different scenarios:
- Client-side exploitation: This vulnerability is remotely exploitable
in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.
- Server-side exploitation: First, the attacker must connect to the
OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).
We developed a simple exploit for this vulnerability and successfully tested it against OpenBSD 6.6 (the current release), OpenBSD 5.9 (the first vulnerable release), Debian 10 (stable), Debian 11 (testing), and Fedora 31.
The fix is delivered in OpenSMTPD 6.6.4p1, available here, which the developer recommends installing “AS SOON AS POSSIBLE.”
|
|
Any | Security Issue | Very High | Critical | [grub2] UEFI SecureBoot vulnerability + multiple flaws ... | Closed | |
Task Description
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/
https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now
|
|
Any | Bug Report | Very High | Critical | [ath9k-htc-firmware]: not work | Closed | |
Task Description
Description:
Ath9k wifi device not working, possibly bad compilation or issues with gcc
Additional info: * package version(s)
- gcc-8.4.0-2 - ath9k-htc-firmware-1.4.0-8
* config and/or log files etc.
[ 8.302952] usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
[ 8.303011] usbcore: registered new interface driver ath9k_htc
[ 8.303067] usb 1-1: Direct firmware load for ath9k_htc/htc_9271-1.4.0.fw failed with error -2
[ 8.303073] usb 1-1: ath9k_htc: Firmware htc_9271.fw requested
[ 8.623141] usb 1-1: ath9k_htc: Transferred FW: htc_9271.fw, size: 51008
[ 9.683657] ath9k_htc 1-1:1.0: ath9k_htc: Target is unresponsive
[ 9.683672] ath9k_htc: Failed to initialize the device
Steps to reproduce:
- Add wifi device with ath9k firmware, for example: TL-WN722N - pacman -S ath9k-htc-firmware
References:
- https://bugzilla.kernel.org/show_bug.cgi?id=208251
|