Packages

Description:

• Remove the “placeholder” entry in /etc/grub.d/20_linux_xen since it has been removed from Linux kernel.

Additional info:

• grub 2:2.02-1.hyperbola3

/etc/grub.d/20_linux_xen
----
-       module  ${rel_dirname}/${basename} placeholder root=${linux_root_device_thisversion} ro ${args}
+       module  ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
----

$ pacman -Si grub
Repository      : core
Name            : grub
Version         : 2:2.02-1.hyperbola3
Description     : GNU GRand Unified Bootloader (2), (Hyperbola rebranded)
Architecture    : x86_64
URL             : https://www.gnu.org/software/grub/
Licenses        : GPL3
Groups          : None
Provides        : grub-common  grub-bios  grub-emu  grub-efi-x86_64
Depends On      : sh  xz  gettext  device-mapper
Optional Deps   : freetype2: For grub-mkfont usage
                  fuse: For grub-mount usage
                  dosfstools: For grub-mkrescue FAT FS and EFI support
                  efibootmgr: For grub-install EFI support
                  libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue
                  os-prober: To detect other OSes when generating grub.cfg in BIOS systems
                  mtools: For grub-mkrescue FAT FS and EFI support
                  xen: For Xen Dom0 support
                  xen-docs: For Xen documentation
Conflicts With  : grub-common  grub-bios  grub-emu  grub-efi-x86_64  grub-legacy
Replaces        : grub-common  grub-bios  grub-emu  grub-efi-x86_64
Download Size   : 6.17 MiB
Installed Size  : 39.31 MiB
Packager        : André Silva <emulatorman@hyperbola.info>
Build Date      : Mon 20 Nov 2017 06:35:41 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Steps to reproduce:

• Turn on machine and then check Linux-libre kernel booting

Description:

Hiawatha contains only systemd files.

It shall be removed and openrc shall be provided

Description:

NoScript zero-day allows script execution even with scripts blocked by default.

https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/

https://twitter.com/ma1/status/1039163003034324992

Additional info:
* package version(s) < 5.1.8.7

Steps to reproduce:
Set the Content-Type of your html/js page to “text/html;json” and enjoy full JS pwnage”

Some addons are currently broken with latest iceweasel-uxp (iceweasel-uxp 52.9.20190926-1)

DownThemAll
Save to Wayback Machine
Self-Destructing Cookies
(and probably others)

g4jc suggested to drop PGO as it could be the culprit.

https://forums.hyperbola.info/viewtopic.php?pid=1149#p1149

Regarding addons, I'm fairly certain flipping the switch on PGO (which makes the browser faster at the expense of wrecking code) is the culprit. We were warned not to use it, and this is planned to be rolled back.

However, Hyperbot has to be scheduled to rebuild the packages and I do not set it's schedule. Will advise.

With latest iceweasel-uxp, I can’t connect to some HTTPS websites :

For example :

https://pkgs.fedoraproject.org/ is an example

SEC_ERROR_UNKNOWN_ISSUER

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw

ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw

openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

• sh-elf-gcc (which depends on sh-elf-binutils)

• sh-elf-newlib

• arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)

• xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre

Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

Add init file to load kernel modules in system configuration

Examples:

/etc/modules.conf
----
btrfs

/etc/modules.d/*.conf
----

/etc/modules.d/nouveau.conf
----
nouveau

/etc/init.d/modules
----
#!/usr/bin/openrc-run
command="/usr/bin/modprobe"
command_args="$(cat /etc/modules.{,d/*}conf)"

/etc/runlevels/boot/modules

When dummy.ko (kernel module) is loaded, dummy0 interface is loaded as “numdummies=1”.
If any dummy interface is configured in netifrc config file, dummy module loads and adds undesirable “dummy0” interface
(eg. if “dummy0” interface is configured, it generates netifrc configuration conflicts).

Please add “/usr/lib/modprobe.d/dummy.conf” file configuration to disable numdummies option by default:

options dummy numdummies=0

Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).

Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.

Description:

Update to 3.1.4 version

Additional info:

krita 3.1.3

$ pacman -Qi krita
Name            : krita
Version         : 3.1.3-1
Description     : Edit and paint images
Architecture    : x86_64
URL             : http://krita.org
Licenses        : LGPL
Groups          : None
Provides        : None
Depends On      : kio  kitemmodels  gsl  libraw  exiv2  openexr  fftw  curl  boost-libs  hicolor-icon-theme
Optional Deps   : poppler-qt5: PDF filter [installed]
                  ffmpeg: to save animations [installed]
                  opencolorio: for the LUT docker [installed]
Required By     : None
Optional For    : None
Conflicts With  : calligra-krita  krita-l10n
Replaces        : calligra-krita  krita-l10n
Installed Size  : 112.43 MiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 28 Apr 2017 07:57:59 AM -03
Install Date    : Tue 12 Sep 2017 03:28:32 AM -03
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Steps to reproduce:
contains some bugs

https://www.zdnet.com/article/libarchive-vulnerability-can-lead-to-code-execution-on-linux-freebsd-netbsd/

https://security-tracker.debian.org/tracker/CVE-2019-18408

Description:
libqtelegram-ae is Telegram library written in Qt based on telegram-cli code. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si libqtelegram-ae
Repository      : community
Name            : libqtelegram-ae
Version         : 3:6.1-4
Description     : Telegram library written in Qt based on telegram-cli code
Architecture    : x86_64
URL             : https://launchpad.net/libqtelegram
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : qt5-base  qt5-multimedia
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 431.27 KiB
Installed Size  : 1999.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Wed 05 Apr 2017 07:16:39 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Libreoffice contains Google API keys which affects privacy.

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]

As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.

Description:
libssh versions 0.6 and above have an authentication bypass vulnerability in
the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message
in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect
to initiate authentication, the attacker could successfully authentciate
without any credentials.

Additional info:
* package version(s) : extra/libssh 0.7.5-1

CVE

Add missing /boot/config-linux-libre-* useful for applications such as Xen.

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

Description:

• Add Linux-libre kernel adapted for servers:
  • Disable "Loadable kernel modules"
  • Adapt config for servers

Additional info:

• none.

Steps to reproduce:

• none.

Description:

With the latest release of the kernel, xwindow does not start anymore. I had to revert to 4.9.143.

Additional info:
* package version(s): linux-libre-lts-4.9.150_gnu-0-x86_64.pkg.tar.xz

Steps to reproduce:

Upgrade to the following:
- linux-libre-lts-4.9.150_gnu-0-x86_64.pkg.tar.xz
- linux-libre-lts-headers-4.9.150_gnu-0-x86_64.pkg.tar.xz
- acpi_call-lts-1.1.0-42.hyperbola34.6-x86_64.pkg.tar.xz

And try to start xwindow

Please repackage or replace with free software which provides similar functionality such as MacroFusion (which is available in the AUR).

The package cannot be installed. Here is the terminal output:

$ sudo pacman -S luminancehdr
resolving dependencies...
warning: cannot resolve "qt5-webengine", a dependency of "luminancehdr"
:: The following package cannot be upgraded due to unresolvable dependencies:
      luminancehdr

:: Do you want to skip the above package for this upgrade? [y/N] y
looking for conflicting packages...
 there is nothing to do

Description:

• Arch distributes a version of man-pages with manual pages from the POSIX standard. The man-pages project is permitted to distribute them and Andries Brouwer assumes that re-distribution by vendors is permitted as well. However, modification is definitively not allowed, hence this contribution by The Institute of Electrical and Electronics Engineers and The Open Group render the entire man-pages package nonfree. The way to solve it is remove all nonfree POSIX manual pages from man-pages package.

Additional info:
* package version(s)

• 4.11-1

* config and/or log files etc.

• License file (POSIX-COPYRIGHT):

The Institute of Electrical and Electronics Engineers (IEEE) and
The Open Group, have given us permission to reprint portions of
their documentation.

In the following statement, the phrase ``this text'' refers to
portions of the system documentation.

Portions of this text are reprinted and reproduced in electronic form
from IEEE Std 1003.1, 2013 Edition, Standard for Information Technology
-- Portable Operating System Interface (POSIX), The Open Group Base
Specifications Issue 7, Copyright (C) 2013 by the Institute of Electri-
cal and Electronics Engineers, Inc and The Open Group.  (This is
POSIX.1-2008 with the 2013 Technical Corrigendum 1 applied.) In the
event of any discrepancy between this version and the original IEEE and
The Open Group Standard, the original IEEE and The Open Group Standard
is the referee document.  The original Standard can be obtained online
at http://www.unix.org/online.html .

This notice shall appear on any product containing this material.

Redistribution of this material is permitted so long as this notice and
the corresponding notices within each POSIX manual page are retained on
any distribution, and the nroff source is included. Modifications to
the text are permitted so long as any conflicts with the standard
are clearly marked as such in the text.

Steps to reproduce:

• See license in /usr/share/licenses/man-pages/POSIX-COPYRIGHT

Description:

• needs OpenRC init script and contains systemd file

Additional info:

• mcelog 1:148-1

mcelog /usr/lib/systemd/system/mcelog.service

Steps to reproduce:

• none

Description:

• add GNU MediaGoblin package

Additional info:

• none

Steps to reproduce:

• none

Description:

• needs OpenRC init scripts (hg serve and chg server), like [git] (git-daemon) and [subversion] (svnserve)

Additional info:

• mercurial 4.2-1

Note: needs a provide: hg

Steps to reproduce:

• none

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:

> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.