Packages

Category Task Type Priority  desc Severity Summary Status Progress
AnySecurity IssueVery HighCritical [gnome-mplayer] [gecko-mediaplayer] [gmtk] remove unsec ...Closed
100%
Task Description

Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

AnySecurity IssueVery HighCritical [freewrl] remove unsecure "libFreeWRLplugin.so" Closed
100%
Task Description

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

AnySecurity IssueVery HighCritical [xulrunner] unmaintained and unsupportable Closed
100%
Task Description

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

AnyFreedom IssueVery HighCritical [cmake-fedora] useful only for non-FSDG distros Closed
100%
Task Description

$ pacman -Si cmake-fedora
Repository : community
Name : cmake-fedora
Version : 2.7.1-3
Description : CMake helper modules for fedora developers
Architecture : any
URL : https://pagure.io/cmake-fedora Licenses : custom:BSD
Groups : None
Provides : None
Depends On : cmake
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 90.94 KiB
Installed Size : 422.00 KiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 17 Apr 2017 06:39:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

AnyFreedom IssueVery HighCritical [cataclysm-dda] uses CC BY-SA for software Closed
100%
Task Description

Cataclysm-DDA contains a problematic license[0][1][2] for software.
Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.

$ pacman -Si cataclysm-dda
Repository : community
Name : cataclysm-dda
Version : 0.C-3
Description : A post-apocalyptic roguelike.
Architecture : x86_64
URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa
Groups : None
Provides : None
Depends On : ncurses lua
Optional Deps : sdl2_image: for tiles

                sdl2_ttf: for tiles
                freetype2: for tiles
                sdl2_mixer: for tiles

Conflicts With : None
Replaces : None
Download Size : 19.33 MiB
Installed Size : 53.32 MiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa

AnySecurity IssueVery HighCritical [midori] unmaintained and unsupportable Closed
100%
Task Description

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:


> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

AnySecurity IssueVery HighCritical [w3m] unmaintained and unsupportable Closed
100%
Task Description

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

AnySecurity IssueVery HighCritical [pam] pam_unix2 is orphaned and dead upstream Closed
100%
Task Description

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

AnySecurity IssueVery HighCritical [wpa_supplicant] vulnerable to KRAK attack Closed
100%
Task Description

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

AnyFreedom IssueVery HighCritical [kodi] contains youtube-dl which runs non-free scripts Closed
100%
Task Description

Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).

Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.

AnySecurity IssueVery HighCritical [dillo] enable IPv6, SSL/TLS and threaded DNS support Closed
100%
Task Description

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

TestingPrivacy IssueVery HighCritical [abiword] remove AltaVista's Babel Fish translator supp ...Closed
100%
Task Description

Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.

...

build() {
  cd $pkgname-$pkgver
  ./configure --prefix=/usr \
    --enable-shared \
    --disable-static \
    --enable-clipart \
    --enable-templates \
    --enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
                      eml epub freetranslation garble gdict gimp goffice grammar \
                      hancom hrtext iscii kword latex loadbindings mathview mht \
                      mif mswrite opendocument openwriter openxml opml ots paint \
                      passepartout pdb pdf presentation psion s5 sdw t602 urldict \
                      wikipedia wmf wml wordperfect wpg xslfo" \
    --enable-introspection
  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

...
AnyFeature RequestVery HighHigh [linux-libre-*] add missing installed kernel configurat ...Closed
100%
Task Description

Add missing /boot/config-linux-libre-* useful for applications such as Xen.

AnyPrivacy IssueVery HighCritical [libreoffice*] contains Google API keys Closed
100%
Task Description

Libreoffice contains Google API keys which affects privacy.

AnyFreedom IssueVery HighCritical  [aarch64-linux-gnu-linux-api-headers] compiles using b ...Closed
100%
Task Description

The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1].
This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

AnyFreedom IssueVery HighCritical  [aarch64-linux-gnu-linux-api-headers] compiles using b ...Closed
100%
Task Description

The aarch64-linux-gnu-linux-api-headers package from [community] compiles using the blobbed Linux kernel source[0], at Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1], since this issue is exactly the same as with linux-api-headers.

The solution is to simply compile using Linux-libre sources.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1] https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

AnySecurity IssueVery HighCritical [linux-libre-lts*] Meltdown & Spectre Vulnerability Closed
100%
Task Description

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

AnySecurity IssueVery HighCritical [libressl] add package as OpenSSL replacement and defau ...Closed
100%
Task Description

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]

As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.

AnySecurity IssueVery HighCritical [avahi] blacklist package since it's a zeroconf impleme ...Closed
100%
Task Description

Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]

Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.

AnySecurity IssueVery HighCritical [electrum] JSONRPC vulnerability Closed
100%
Task Description

Our current version is vulnerable

AnyPrivacy IssueVery HighCritical [openrc] Google in init.d and conf.d configuration (ne ...Closed
100%
Task Description
/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.
AnySecurity IssueVery HighCritical [mupdf] multiple security issues Closed
100%
Task Description

Summary

The package mupdf is vulnerable to multiple issues including arbitrary code execution and denial of service via CVE-2018-6544, CVE-2018-6192, CVE-2018-6187, CVE-2018-5686 and CVE-2018-1000051.

Package Information

$ pacman -Si mupdf
Repositorio               : community
Nombre                    : mupdf
Versión                   : 1.11-1
Descripción               : Lightweight PDF and XPS viewer
Arquitectura              : x86_64
URL                       : http://mupdf.com
Licencias                 : AGPL3
Grupos                    : Nada
Provee                    : Nada
Depende de                : curl  desktop-file-utils  freetype2  harfbuzz  jbig2dec  libjpeg  openjpeg2  openssl
Dependencias opcionales   : Nada
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 18,18 MiB
Tamaño de la instalación  : 33,03 MiB
Encargado                 : Christian Hesse <arch@eworm.de>
Fecha de creación         : mar 11 abr 2017 05:22:41 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

References

AnyReplace RequestVery HighCritical [dnscrypt-proxy] update package to 2.x following backpo ...Closed
100%
Task Description

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

AnyFeature RequestVery HighHigh [kmod] add init file to load kernel modules from /etc f ...Closed
100%
Task Description

Add init file to load kernel modules in system configuration

Examples:

/etc/modules.conf
----
btrfs

/etc/modules.d/*.conf
----

/etc/modules.d/nouveau.conf
----
nouveau

/etc/init.d/modules
----
#!/usr/bin/openrc-run
command="/usr/bin/modprobe"
command_args="$(cat /etc/modules.{,d/*}conf)"

/etc/runlevels/boot/modules
AnyFeature RequestVery HighHigh [procps-ng] add init file to load sysctl configuration  ...Closed
100%
Task Description

Add init file to load sysctl configuration files

Examples:

/etc/init.d/sysctl
----
#!/usr/bin/openrc-run
command="/usr/bin/sysctl"
command_args="--system"
----
/etc/runlevels/boot/sysctl
AnyReplace RequestVery HighCritical [kernel-firmware] split out firmware projects from linu ...Closed
100%
AnyBug ReportVery HighHigh [android-udev] [MTP] unable to mount Android phone Closed
100%
AnyFeature RequestVery HighHigh [kmod] when dummy.ko is loaded, dummy0 interface is loa ...Closed
100%
AnyBug ReportVery HighLow [filesystem] the hyperbola manual (/usr/share/man/man7/ ...Closed
100%
AnyUpdate RequestVery HighCritical [certbot] update package to support ACMEv2 and Wildcard Closed
100%
AnyBug ReportVery HighCritical [warsow] the package is not compiled from source Closed
100%
AnyFreedom IssueVery HighCritical [warsow-data] the package contains nonfree assets (CC B ...Closed
100%
AnyFreedom IssueVery HighCritical [torcs-data] contains nonfree car models Closed
100%
AnyFreedom IssueVery HighCritical [vdrift-data] contains nonfree car and track models Closed
100%
StableBug ReportVery HighCritical [openrc] Cowardly refusing to concatenate a logfile int ...Closed
100%
AnyFreedom IssueVery HighCritical [warsow] contains Steam support Closed
100%
AnySecurity IssueVery HighCritical [xen] multiple security issues: CVE-2018-10472, CVE-201 ...Closed
100%
AnySecurity IssueVery HighCritical [wget] - GNU Wget Cookie Injection CVE-2018-0494 Closed
100%
AnyFreedom IssueVery HighCritical [rust][cargo] trademark agreement affects user freedom Closed
100%
AnyDrop RequestVery HighCritical [cgmanager] unmaintained and unsupportable Closed
100%
AnyDrop RequestVery HighCritical [pm-utils] unmaintained and unsupportable Closed
100%
AnySecurity IssueVery HighCritical [networkmanager] CVE-2018-1111: DHCP client script code ...Closed
100%
AnyFreedom IssueVery HighCritical [pacman] uses "Linux" term instead of "GNU/Linux" in it ...Closed
100%
AnyFreedom IssueVery HighCritical [xmind] is probably directing users to proprietary soft ...Closed
100%
AnyFreedom IssueVery HighCritical [luminancehdr] depends on non-free qt5-webengine Closed
100%
AnyFreedom IssueVery HighCritical [bluegriffon] contains support to nonfree "Extended Fea ...Closed
100%
AnyPrivacy IssueVery HighCritical [purple-facebook] only useful with Facebook service Closed
100%
AnyPrivacy IssueVery HighCritical [cutegram] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [libqtelegram-ae] only useful with Telegram service Closed
100%
AnyPrivacy IssueVery HighCritical [telegram-qt] only useful with Telegram service Closed
100%
Showing tasks 1 - 50 of 1517 Page 1 of 31

Available keyboard shortcuts

Tasklist

Task Details

Task Editing