These two options could be enabled :

Kernel hacking → [*] Filter access to /dev/mem
[*] Filter I/O access to /dev/mem

Security options → [*] Restrict unprivileged access to the kernel syslog

https://www.openwall.com/lists/oss-security/2019/12/20/2

“This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.”

Description: https://www.openwall.com/lists/oss-security/2020/02/24/5 https://www.bleepingcomputer.com/news/security/new-critical-rce-bug-in-openbsd-smtp-server-threatens-linux-distros/

Qualys Security Advisory

LPE and RCE in OpenSMTPD’s default install (CVE-2020-8794)

in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
OpenSMTPD listens on localhost only, by default, it does accept mail
from local users and delivers it to remote servers. If such a remote
server is controlled by an attacker (either because it is malicious or
compromised, or because of a man-in-the-middle, DNS, or BGP attack --
SMTP is not TLS-encrypted by default), then the attacker can execute
arbitrary shell commands on the vulnerable OpenSMTPD installation.

OpenSMTPD server (which accepts external mail) and send a mail that
creates a bounce. Next, when OpenSMTPD connects back to their mail
server to deliver this bounce, the attacker can exploit OpenSMTPD's
client-side vulnerability. Last, for their shell commands to be
executed, the attacker must (to the best of our knowledge) crash
OpenSMTPD and wait until it is restarted (either manually by an
administrator, or automatically by a system update or reboot).

CVE-2020-5260 has been fixed very recently in Debian, so I thought I would apply this patch. However, I found out that security patches have not been applied for quite a while (I could account for at least 6 CVEs).

Considering that the version in Debian stretch (2.11.0) is the nearest version with security patches released by Debian and that git project oldest supported version is 2.17, I have used patches from Debian stretch to apply on 2.12.2 currently in Milky Way.

But I have the following error on check():

 |  *** prove ***
 |
 |  Test Summary Report
 |  -------------------
 |  t5570-git-daemon.sh                              (Wstat: 256 Tests: 20 Failed: 10)
 |    Failed tests:  3-7, 15-19
 |    Non-zero exit status: 1
 |  t5811-proto-disable-git.sh                       (Wstat: 256 Tests: 26 Failed: 16)
 |    Failed tests:  2-6, 9-11, 15-19, 21-23
 |    Non-zero exit status: 1
 |  Files=769, Tests=14137, 1101 wallclock secs ( 8.08 usr  1.12 sys + 144.48 cusr 63.42 csys = 217.10 CPU)
 |  Result: FAIL
 |  make[1]: *** [Makefile:45: prove] Error 1
 |  make[1]: Leaving directory '/build/git/src/git-2.12.2/t'
 |  make: *** [Makefile:2291: test] Error 2
 |  ==> ERROR: A failure occurred in check().
 |      Aborting...

This does not seem to be related to my change as the current version in Milky Way produces the same error (IOW the package currently in Milky Way is not rebuidable).

https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

https://9to5linux.com/grub2-boot-failure-issues-fixed-in-debian-and-ubuntu-update-now

This is same issue as on:
https://bugzilla.redhat.com/show_bug.cgi?id=1151273

The paths changed and trying to mount davfs file system defined in /etc/fstab fails with error: unknown file system davfs

To remedy, I made symlink in /sbin to mount.davfs

The transition of paths had to take that in account as many mounted remote disks failed after upgrade.

“appmenu-qt4”[0][2] is a deprecated package (release in 2012)[1] and use qt4 unsupported/non-lts software[3], but “appmenu-qt5” not contains any release source code[2]

$ pacman -Si appmenu-qt4
Repository : community
Name : appmenu-qt4
Version : 0.2.6-1
Description : Export Qt4 applications menus over D-Bus
Architecture : x86_64
URL : https://launchpad.net/appmenu-qt Licenses : GPL Groups : None
Provides : None
Depends On : libdbusmenu-qt4
Optional Deps : None
Conflicts With : appmenu-qt
Replaces : appmenu-qt
Download Size : 16.55 KiB
Installed Size : 48.00 KiB
Packager : Antonio Rojas arojas@archlinux.org Build Date : Tue 28 Feb 2017 05:59:31 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://launchpad.net/appmenu-qt (qt4)
[1]:https://launchpad.net/appmenu-qt/+download [2]:https://launchpad.net/appmenu-qt5 [3]:https://en.wikipedia.org/wiki/Qt_5.6_LTS

Remove unstable “botan” and rename “botan1.10” to “botan-old-stable”[0]

$ pacman -Si botan
Repository      : community
Name            : botan
Version         : 2.1.0-1
Description     : Crypto library written in C++
Architecture    : x86_64
URL             : https://botan.randombit.net/
Licenses        : BSD
Groups          : None
Provides        : None
Depends On      : gcc-libs  sh
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 1816.44 KiB
Installed Size  : 7040.00 KiB
Packager        : Alexander Rødseth <rodseth@gmail.com>
Build Date      : Fri 21 Apr 2017 09:19:27 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

$ pacman -Si botan1.10
Repository      : community
Name            : botan1.10
Version         : 1.10.13-1
Description     : Crypto library written in C++ - old stable branch
Architecture    : x86_64
URL             : http://botan.randombit.net/
Licenses        : BSD
Groups          : None
Provides        : None
Depends On      : gcc-libs  sh
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 1014.98 KiB
Installed Size  : 3734.00 KiB
Packager        : Felix Yan <felixonmars@archlinux.org>
Build Date      : Fri 06 Jan 2017 06:48:59 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

[0]:https://botan.randombit.net/

Replace “devtools” to “artools”[0][1]

[0]:https://github.com/artix-linux/artools [1]:https://git.archlinux.org/devtools.git

Notes: "artools" replaces "devtools" and "archiso"
       without "systemd", but it is not a "libretools" replacement.
       For now, "libretools" needs a "chroot" wrapper to use it.

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw

ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw

openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

• sh-elf-gcc (which depends on sh-elf-binutils)

• sh-elf-newlib

• arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)

• xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre

Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

Please, replace avideo-lts with youtube-dl. avideo-lts haven’t seen any updates for almost a year and is probably abandoned. Also Stallman confirmed youtube-dl doesn’t execute any non-free JavaScript, so its inclusion doesn’t go against Social Contract.

Description:

• replace deprecated GNU Bazaar to Brezy for Canis Major

Additional info:

• bzr 2.7.0-2
• GNU Bazaar will be unmaintained (for now, there are only bug fixes)
• GNU Bazaar only supports Python 2.
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.
• Or use Tauthon (fork of Python 2.7) as dependency.

Note: It needs a provide: bazaar and brezy

Steps to reproduce:

• broken package

Description:

• replace deprecated Python 2 to Tauthon for Canis Major

Additional info:

• python 2.7.14-2.hyperbola1
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.

Steps to reproduce:

• Broken python2 packages.

What do you think ? Avideo is not updated anymore, can’t we use regular youtube-dl instead as RMS himself say :

“youtube-dl is okay to be in the Directory because it does not actually execute nonfree JS as we first suspected.”

Source : https://directory.fsf.org/wiki/Youtube-dl Also : https://github.com/fent/node-ytdl-core/issues/222

Description: Concurrent package ossp in version 1.3.2-15 has got dependencies to systemd, which is contradicting the whole distribution and the used INIT-system. Therefore my request to port this to OpenRC!

Additional info:
* package version(s) 1.3.2-15

Description: The package spamassassin has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 3.4.1-7

Description: The package opendkim has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 2.10.3-4

Description:

I used to be under the
impression that youtube-dl executes proprietary JavaScript, but I now
understand that it only *parses* the JavaScript to find the URL for some
videos. It doesn’t actually run the JavaScript, so it’s not a freedom
issue.

Youtube-dl only executes regular expressions [0][1][2]

you also remove the files that are just for testing [3][4][5][6][7]
and when compiling the program with libretools the test files are not placed[8]

I have consulted with other programmers and we have reached the same conclusion. Youtube-dl does not execute JS non-free, it only extracts the JS to read through python the URL‘s of some videos.[9][10]

The issues that I see with youtube-dl are rather in their form of development because it changes at every moment

Additional info:

- [0]: https://github.com/ytdl-org/youtube-dl/blob/master/youtube_dl/jsinterp.py#L12

- [1]: https://github.com/ytdl-org/youtube-dl/blob/master/youtube_dl/jsinterp.py#L132

- [2]: https://github.com/ytdl-org/youtube-dl/blob/master/youtube_dl/swfinterp.py#L391

- [3]: https://github.com/ytdl-org/youtube-dl/tree/master/test/swftests/

- [4]: https://github.com/ytdl-org/youtube-dl/blob/master/test/test_iqiyi_sdk_interpreter.py

- [5]: https://github.com/ytdl-org/youtube-dl/blob/master/test/test_jsinterp.py

- [6]: https://github.com/ytdl-org/youtube-dl/blob/master/test/test_swfinterp.py

- [7]: https://github.com/ytdl-org/youtube-dl/blob/master/test/test_youtube_signature.py

- [8]:

$ tree -d

.
├── bin
├── lib
│   └── python3.6
│       └── site-packages
│           ├── youtube_dl
│           │   ├── downloader
│           │   │   └── __pycache__
│           │   ├── extractor
│           │   │   └── __pycache__
│           │   ├── postprocessor
│           │   │   └── __pycache__
│           │   └── __pycache__
│           └── youtube_dl-2019.5.11-py3.6.egg-info
└── share
    ├── bash-completion
    │   └── completions
    ├── doc
    │   └── youtube_dl
    ├── fish
    │   └── completions
    ├── licenses
    │   └── youtube-dl
    ├── man
    │   └── man1
    └── zsh
        └── site-functions

26 directories

- [9]: https://directory.fsf.org/wiki/Youtube-dl - [10]: https://github.com/fent/node-ytdl-core/issues/222

Description:

Firejail developers since October 2018 have started building LTS versions of firejail[0], according to Packaging Guidelines we must use LTS versions of the packages if they are available.

Links:

[0]: https://github.com/netblue30/firejail/tree/LTSbase

https://github.com/loh-tar/wpa-cute/releases

I know there are plans to remove NetworkManager. I wondered if we could replace it in 0.4 with Wpa_Cute. seen in the above link.

I haven’t been able to compile it, but it has been updated as recent as 2018 december (stable)

or 2019 january. :)

WPA_GUI doesn’t seem to work well for me, it runs into weird errors when I start it. Long story short, I run into this issue with wpa_supplicant when i do it manually:

https://wiki.archlinux.org/index.php/Wpa_supplicant:

Password-related problems

wpa_supplicant may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as failed 4-way WPA handshake, PSK may be wrong when launching wpa_supplicant.

In order to solve this try using here strings wpa_passphrase <MYSSID> «< “<passphrase>” or passing a file to the -c flag instead:

# wpa_supplicant -i <interface> -c /etc/wpa_supplicant/example.conf

In some instances it was found that storing the passphrase cleartext in the psk key of the wpa_supplicant.conf network block gave positive results (see [2]). However, this approach is rather insecure. Using wpa_cli to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.
Problems with eduroam and other MSCHAPv2 connections

This is my issue with wpa_supplicant sadly... and I do not know how to workaround that without a GUI.

but Wpa_Supplicant_gui does not fix it either, it doesn’t even load properly on my other laptop.

It says it cannot get the status of wpa_supplicant when I load it.

This could be an issue if you get rid of NetworkManager for some users.

So yeah, please take a look at my request okay? Wait for 0.3 to be released to add this if possible. I know you guys are overworked, etc... and it doesn’t need to be done now anyhow. ;)

Description:

Hi guys, there have been minor changes in firejail, we have also published iceweasel-uxp. Given this case, here I publish the relevant updates of the files.

Description:

Hi guys, there have been minor changes in firetools GUI, we have also published iceweasel-uxp. Given this case, here I publish the relevant updates of the files.

Here are few changes in the third package build release of Midori, according to the commit[1][2]:

• A SearX instance[3] now replaces three default search engines that are non-free network services; because of freedom issues, they were all expunged.
• Fix key buttons on the key bindings to avoid frustration.
• Plug-in seems now disabled by default.

Reference(s):

• [1]: https://git.hostux.net/HarvettFox96/hyperbola-packages-extra/commit/b5b6e0febf72052d8e7db0ef01c52325969221c4/
• [2]: https://git.hostux.net/HarvettFox96/hyperbola-packages-extra/src/commit/b5b6e0febf72052d8e7db0ef01c52325969221c4/midori/
• [3]: https://searx.fmac.xyz/

Bug Report

Tratando proveedor ubicación `geoclue2'...
Usando el proveedor `geoclue2'.
Unable to connect to GeoClue.
Incapaz de obtener localización desde el proveedor.

Package information:

$ pacman -S redshift
Repositorio : community
Nombre : redshift
Versión : 1.11-4.hyperbola1
Descripción : Adjusts the color temperature of your screen according to your surroundings, without geoclue2 support
Arquitectura : x86_64
URL : http://jonls.dk/redshift/ Licencias : GPL3
Grupos : Nada
Provee : Nada
Depende de : libdrm libxcb libxxf86vm
Dependencias opcionales : python-gobject: for redshift-gtk python-xdg: for redshift-gtk librsvg: for redshift-gtk
En conflicto con : Nada
Remplaza a : Nada
Tamaño de la descarga : 107,66 KiB
Tamaño de la instalación : 1004,00 KiB
Encargado : André Silva emulatorman@hyperbola.info Fecha de creación : sáb 17 jun 2017 14:03:43 -05
Validado por : Suma MD5 Suma SHA-256 Firma