|
Any | Freedom Issue | Medium | Medium | [filesystem] Review of permissions | Unconfirmed | |
Task Description
Description: Packages leaves warnings about installation being within difference of the filesystem. So the package filesystem should get another review in time and warnings get therefore a solution.
|
|
Any | Bug Report | Low | Medium | [cryptsetup] when dmcrypt start, the "/" filesystem, m... | Assigned | |
Task Description
When dmcrypt service start, the “/” filesystem is remounted, mtab is updated and bootmisc is recording the login users, by waiting time scheduling:
* root: waiting for dmcrypt (50 seconds)
* root: timed out waiting for dmcrypt
* Remounting root filesystem read/write ...
* Remounting filesystems ...
* mtab: waiting for dmcrypt (50 seconds)
* mtab: timed out waiting for dmcrypt
* Updating /etc/mtab ...
* Creating mtab symbolic link
* bootmisc: waiting to dmcrypt (50 seconds)
* bootmisc: timed out waiting for dmcrypt
* Creating user login records ...
These features on dmcrypt service are useless and these lines print above filesystem passphrase order (the printed line), those ones break printed console and print the pressed keyboard digit when I’m setting up password. Sometimes this breaks services startup, and I need press “enter” consecutively to allow run the services.
|
|
Stable | Bug Report | Very Low | Very Low | [spamassassin] has different directory permissions than... | Deferred | |
Task Description
Description: The /usr/sbin directory in spamassassin has permissions 755 https://git.hyperbola.info:50100/packages/extra.git/tree/spamassassin/PKGBUILD#n88
And ‘filesystem’ sets it to 750 https://git.hyperbola.info:50100/packages/core.git/tree/filesystem/PKGBUILD#n135
So when installing spamassassin, pacman throws a warning
warning: directory permissions differ on /usr/sbin/
filesystem: 750 package: 755
Additional info: * spamassassin 3.4.2-1.hyperbola2
|
|
Stable | Bug Report | Very Low | Very Low | [postfix] has different directory permissions than 'fil... | Deferred | |
Task Description
Description: The /usr/sbin directory in postfix has permissions 755 https://git.hyperbola.info:50100/packages/extra.git/tree/postfix/PKGBUILD#n115
And ‘filesystem’ sets it to 750 https://git.hyperbola.info:50100/packages/core.git/tree/filesystem/PKGBUILD#n135
So when installing postfix, pacman throws a warning
warning: directory permissions differ on /usr/sbin/
filesystem: 750 package: 755
Additional info: * postfix-3.2.2-1.hyperbola6
|
|
Stable | Bug Report | Very Low | Very Low | [fail2ban] update dovecot failregex to support verbose ... | Unconfirmed | |
Task Description
Description: The /etc/fail2ban/filter.d/dovecot.conf file has a failregex with the following:
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
and works with things like:
Month day time hostname dovecot: auth: passwd-file(user@domain.com,IP): unknown user
but with verbosity enabled in Dovecot, this output looks like this:
Month day time hostname dovecot: auth: passwd-file(user@domain.com,IP): unknown user (given password: password)
and in this case it doesn’t work, but it does if we fix the failregex if we replace it with:
^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user( \(given password: \S*\))?\s*$
with this new expression, it works with and without verbosity
And regarding postfix, to make it work correctly I “backported” some pieces from newest failregex:
/etc/fail2ban/postfixr-rbl.conf:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
/etc/fail2ban/postfix.conf: (second failregex)
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 45[04] 4\.7\.1 Client host rejected: cannot find your (reverse )?hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
I can create a patch if you want. Note that I haven’t tested all filters, some others may also need some rework
Additional info: * fail2ban-0.9.6-2.hyperbola3
|
|
Any | Security Issue | Very High | Critical | [gnome-mplayer] [gecko-mediaplayer] [gmtk] remove unsec ... | Closed | |
Task Description
Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014) “gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis
$ pacman -Si gnome-mplayer Repository : community Name : gnome-mplayer Version : 1.0.9-4 Description : A simple MPlayer GUI. Architecture : x86_64 URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None Provides : None Depends On : mplayer dbus-glib libnotify gmtk Optional Deps : None Conflicts With : None Replaces : None Download Size : 343.29 KiB Installed Size : 1461.00 KiB Packager : Balló György <ballogyor+arch@gmail.com> Build Date : Sun 22 Jan 2017 04:45:38 PM -03 Validated By : MD5 Sum SHA-256 Sum Signature
$ pacman -Si gecko-mediaplayer Repository : community Name : gecko-mediaplayer Version : 1.0.9-3 Description : Browser plugin that uses gnome-mplayer to play media in a web browser. Architecture : x86_64 URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None Provides : None Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl Optional Deps : None Conflicts With : None Replaces : None Download Size : 80.92 KiB Installed Size : 598.00 KiB Packager : Balló György <ballogyor+arch@gmail.com> Build Date : Sun 22 Jan 2017 04:36:31 PM -03 Validated By : MD5 Sum SHA-256 Sum Signature
$ pacman -Si gmtk Repository : community Name : gmtk Version : 1.0.9-3 Description : Common functions for gnome-mplayer and gecko-mediaplayer. Architecture : x86_64 URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None Provides : None Depends On : glib2 gtk3 dconf Optional Deps : None Conflicts With : None Replaces : None Download Size : 73.85 KiB Installed Size : 246.00 KiB Packager : Balló György <ballogyor+arch@gmail.com> Build Date : Sun 22 Jan 2017 04:50:49 PM -03 Validated By : MD5 Sum SHA-256 Sum Signature
[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner
|
|
Any | Security Issue | Very High | Critical | [freewrl] remove unsecure "libFreeWRLplugin.so" | Closed | |
Task Description
Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis
$ pacman -Si freewrl Repository : community Name : freewrl Version : 1:2.3.3-1 Description : VRML viewer Architecture : x86_64 URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None Provides : None Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal
freealut
Optional Deps : None Conflicts With : None Replaces : None Download Size : 583.49 KiB Installed Size : 2060.00 KiB Packager : Sergej Pupykin <pupykin.s+arch@gmail.com> Build Date : Mon 19 Dec 2016 10:31:49 AM -03 Validated By : MD5 Sum SHA-256 Sum Signature
$ sudo pacman -Ql freewrl freewrl /usr/ freewrl /usr/bin/ freewrl /usr/bin/freewrl freewrl /usr/bin/freewrl_msg freewrl /usr/bin/freewrl_snd freewrl /usr/include/ freewrl /usr/include/FreeWRLEAI/ freewrl /usr/include/FreeWRLEAI/EAIHeaders.h freewrl /usr/include/FreeWRLEAI/EAI_C.h freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h freewrl /usr/include/FreeWRLEAI/X3DNode.h freewrl /usr/include/libFreeWRL.h freewrl /usr/lib/ freewrl /usr/lib/libFreeWRL.so freewrl /usr/lib/libFreeWRL.so.2 freewrl /usr/lib/libFreeWRL.so.2.3.3 freewrl /usr/lib/libFreeWRLEAI.so freewrl /usr/lib/libFreeWRLEAI.so.2 freewrl /usr/lib/libFreeWRLEAI.so.2.3.3 freewrl /usr/lib/mozilla/ freewrl /usr/lib/mozilla/plugins/ freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so freewrl /usr/lib/pkgconfig/ freewrl /usr/lib/pkgconfig/libFreeWRL.pc freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc freewrl /usr/share/ freewrl /usr/share/applications/ freewrl /usr/share/applications/freewrl.desktop freewrl /usr/share/man/ freewrl /usr/share/man/man1/ freewrl /usr/share/man/man1/freewrl.1.gz freewrl /usr/share/pixmaps/ freewrl /usr/share/pixmaps/freewrl.png
[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner
|
|
Any | Security Issue | Very High | Critical | [xulrunner] unmaintained and unsupportable | Closed | |
Task Description
Remove “xulrunner”[0][1] is unsecure/abandonware package
$ pacman -Si xulrunner Repository : community Name : xulrunner Version : 41.0.2-10 Description : Mozilla Runtime Environment Architecture : x86_64 URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None Provides : None Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2 Optional Deps : None Conflicts With : None Replaces : xulrunner-oss Download Size : 47.38 MiB Installed Size : 171.99 MiB Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03 Validated By : MD5 Sum SHA-256 Sum Signature
[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner
|
|
Any | Freedom Issue | Very High | Critical | [cmake-fedora] useful only for non-FSDG distros | Closed | |
Task Description
$ pacman -Si cmake-fedora Repository : community Name : cmake-fedora Version : 2.7.1-3 Description : CMake helper modules for fedora developers Architecture : any URL : https://pagure.io/cmake-fedora Licenses : custom:BSD Groups : None Provides : None Depends On : cmake Optional Deps : None Conflicts With : None Replaces : None Download Size : 90.94 KiB Installed Size : 422.00 KiB Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 17 Apr 2017 06:39:49 AM -03 Validated By : MD5 Sum SHA-256 Sum Signature
|
|
Any | Freedom Issue | Very High | Critical | [cataclysm-dda] uses CC BY-SA for software | Closed | |
Task Description
Cataclysm-DDA contains a problematic license[0][1][2] for software. Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.
$ pacman -Si cataclysm-dda Repository : community Name : cataclysm-dda Version : 0.C-3 Description : A post-apocalyptic roguelike. Architecture : x86_64 URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa Groups : None Provides : None Depends On : ncurses lua Optional Deps : sdl2_image: for tiles
sdl2_ttf: for tiles
freetype2: for tiles
sdl2_mixer: for tiles
Conflicts With : None Replaces : None Download Size : 19.33 MiB Installed Size : 53.32 MiB Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03 Validated By : MD5 Sum SHA-256 Sum Signature
[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa
|
|
Any | Security Issue | Very High | Critical | [midori] unmaintained and unsupportable | Closed | |
Task Description
The developer team is discussing the removal of Midori from Debian repositories.
Jeremy Bicha says:
> The final stable release of Midori still uses the unmaintained WebKit1 > instead of webkit2gtk and therefore the browser suffers from numerous > known security vulnerabilities. Midori now fails to build with vala > 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable > once it clears the Debian new queue. > https://launchpad.net/bugs/1698483 .
See a complete discussion here.
|
|
Any | Security Issue | Very High | Critical | [w3m] unmaintained and unsupportable | Closed | |
Task Description
w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]
$ pacman -Qi w3m Name : w3m Version : 0.5.3.git20170102-2 Description : Text-based Web browser, as well as pager Architecture : x86_64 URL : http://w3m.sourceforge.net/ Licenses : custom Groups : None Provides : None Depends On : openssl gc ncurses gpm Optional Deps : imlib2: for graphics support [installed] Required By : None Optional For : None Conflicts With : None Replaces : None Installed Size : 1784.00 KiB Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03 Install Date : Tue 12 Sep 2017 03:43:25 AM -03 Install Reason : Explicitly installed Install Script : No Validated By : Signature
[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m
|
|
Any | Security Issue | Very High | Critical | [pam] pam_unix2 is orphaned and dead upstream | Closed | |
Task Description
pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]
It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.
[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848
$ pacman -Si pam Repository : core Name : pam Version : 1.3.0-1 Description : PAM (Pluggable Authentication Modules) library Architecture : x86_64 URL : http://linux-pam.org Licenses : GPL2 Groups : None Provides : None Depends On : glibc cracklib libtirpc pambase Optional Deps : None Conflicts With : None Replaces : None Download Size : 609.71 KiB Installed Size : 2980.00 KiB Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03 Validated By : MD5 Sum SHA-256 Sum Signature
$ pacman -Ql pam > pam_fileslist.txt
|
|
Any | Security Issue | Very High | Critical | [wpa_supplicant] vulnerable to KRAK attack | Closed | |
Task Description
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
https://w1.fi/security/2017-1/
Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/
|
|
Any | Freedom Issue | Very High | Critical | [kodi] contains youtube-dl which runs non-free scripts | Closed | |
Task Description
Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).
Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.
|
|
Any | Security Issue | Very High | Critical | [dillo] enable IPv6, SSL/TLS and threaded DNS support | Closed | |
Task Description
Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.
1- Arch PKGBUILD problems:
a- not obtain source via https
b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl
My correction is committed in NAB-packages-community
|
|
Testing | Privacy Issue | Very High | Critical | [abiword] remove AltaVista's Babel Fish translator supp ... | Closed | |
Task Description
Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.
...
build() {
cd $pkgname-$pkgver
./configure --prefix=/usr \
--enable-shared \
--disable-static \
--enable-clipart \
--enable-templates \
--enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
eml epub freetranslation garble gdict gimp goffice grammar \
hancom hrtext iscii kword latex loadbindings mathview mht \
mif mswrite opendocument openwriter openxml opml ots paint \
passepartout pdb pdf presentation psion s5 sdw t602 urldict \
wikipedia wmf wml wordperfect wpg xslfo" \
--enable-introspection
sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
make
}
...
|
|
Any | Feature Request | Very High | High | [linux-libre-*] add missing installed kernel configurat ... | Closed | |
Task Description
Add missing /boot/config-linux-libre-* useful for applications such as Xen.
|
|
Any | Privacy Issue | Very High | Critical | [libreoffice*] contains Google API keys | Closed | |
Task Description
Libreoffice contains Google API keys which affects privacy.
|
|
Any | Freedom Issue | Very High | Critical | [aarch64-linux-gnu-linux-api-headers] compiles using b ... | Closed | |
Task Description
The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1]. This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.
[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD
[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662
|
|
Any | Freedom Issue | Very High | Critical | [aarch64-linux-gnu-linux-api-headers] compiles using b ... | Closed | |
Task Description
The aarch64-linux-gnu-linux-api-headers package from [community] compiles using the blobbed Linux kernel source[0], at Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1], since this issue is exactly the same as with linux-api-headers.
The solution is to simply compile using Linux-libre sources.
[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD
[1] https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662
|
|
Any | Security Issue | Very High | Critical | [linux-libre-lts*] Meltdown & Spectre Vulnerability | Closed | |
Task Description
Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.
|
|
Any | Security Issue | Very High | Critical | [libressl] add package as OpenSSL replacement and defau ... | Closed | |
Task Description
LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.
It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]
As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.
|
|
Any | Security Issue | Very High | Critical | [avahi] blacklist package since it's a zeroconf impleme ... | Closed | |
Task Description
Avahi is a zero-configuration networking implementation that contains critical security issues because mDNS operates under a different trust model than unicast DNS trusting the entire network rather than a designated DNS server, it is vulnerable to spoofing attacks by any system within the multicast IP range. Like SNMP and many other network management protocols, it can also be used by attackers to quickly gain detailed knowledge of the network and its machines. [0]
Since it violates the Hyperbola Social Contract , Avahi should be blacklisted.
|
|
Any | Security Issue | Very High | Critical | [electrum] JSONRPC vulnerability | Closed | |
Task Description
Our current version is vulnerable
|
|
Any | Privacy Issue | Very High | Critical | [openrc] Google in init.d and conf.d configuration (ne ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [mupdf] multiple security issues | Closed | |
|
|
Any | Replace Request | Very High | Critical | [dnscrypt-proxy] update package to 2.x following backpo ... | Closed | |
|
|
Any | Feature Request | Very High | High | [kmod] add init file to load kernel modules from /etc f ... | Closed | |
|
|
Any | Feature Request | Very High | High | [procps-ng] add init file to load sysctl configuration ... | Closed | |
|
|
Any | Replace Request | Very High | Critical | [kernel-firmware] split out firmware projects from linu ... | Closed | |
|
|
Any | Bug Report | Very High | High | [android-udev] [MTP] unable to mount Android phone | Closed | |
|
|
Any | Feature Request | Very High | High | [kmod] when dummy.ko is loaded, dummy0 interface is loa ... | Closed | |
|
|
Any | Bug Report | Very High | Low | [filesystem] the hyperbola manual (/usr/share/man/man7/ ... | Closed | |
|
|
Any | Update Request | Very High | Critical | [certbot] update package to support ACMEv2 and Wildcard | Closed | |
|
|
Any | Bug Report | Very High | Critical | [warsow] the package is not compiled from source | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [warsow-data] the package contains nonfree assets (CC B ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [torcs-data] contains nonfree car models | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [vdrift-data] contains nonfree car and track models | Closed | |
|
|
Stable | Bug Report | Very High | Critical | [openrc] Cowardly refusing to concatenate a logfile int ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [warsow] contains Steam support | Closed | |
|
|
Any | Security Issue | Very High | Critical | [xen] multiple security issues: CVE-2018-10472, CVE-201 ... | Closed | |
|
|
Any | Security Issue | Very High | Critical | [wget] - GNU Wget Cookie Injection CVE-2018-0494 | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [rust][cargo] trademark agreement affects user freedom | Closed | |
|
|
Any | Drop Request | Very High | Critical | [cgmanager] unmaintained and unsupportable | Closed | |
|
|
Any | Drop Request | Very High | Critical | [pm-utils] unmaintained and unsupportable | Closed | |
|
|
Any | Security Issue | Very High | Critical | [networkmanager] CVE-2018-1111: DHCP client script code ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [pacman] uses "Linux" term instead of "GNU/Linux" in it ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [xmind] is probably directing users to proprietary soft ... | Closed | |
|
|
Any | Freedom Issue | Very High | Critical | [luminancehdr] depends on non-free qt5-webengine | Closed | |
|