Packages

As per a recent discovery, we should check if our deepin is affected by the CNZZ spyware in the AppStore.
https://www.youtube.com/watch?v=v25Dy66AtNI

We also shouldn’t use the AppStore if it exists, due to non-free apps.

Known files:
> usr/share/dbus-1/system-services/com.deepin.daemon.Apps.service
> etc/appstore.json

Description:

community/purple-facebook 0.9.3-1
    Facebook protocol plugin for libpurple

It is up to maintainers to decide of course. IMHO I would remove this one as it uses proprietary network Facebook, exclusively, and even mentioning the word in the package.

See:
https://www.gnu.org/distros/free-system-distribution-guidelines.html

A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so.

Description:
Cutegram is a Telegram client. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si cutegram
Repository      : community
Name            : cutegram
Version         : 2.7.1-3
Description     : A different telegram client from Aseman team
Architecture    : x86_64
URL             : http://aseman.co/en/products/cutegram/
Licenses        : GPL
Groups          : None
Provides        : cutegram
Depends On      : qt5-imageformats  qt5-webkit  telegramqml>=0.9.1  libqtelegram-ae>=3:6.1
Optional Deps   : gst-plugins-bad: audio support
                  gst-plugins-good: audio and notification sound
Conflicts With  : cutegram-git  sigram-git  sigram  cutegram
Replaces        : cutegram-cn
Download Size   : 12.03 MiB
Installed Size  : 17.07 MiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:59:04 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
libqtelegram-ae is Telegram library written in Qt based on telegram-cli code. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si libqtelegram-ae
Repository      : community
Name            : libqtelegram-ae
Version         : 3:6.1-4
Description     : Telegram library written in Qt based on telegram-cli code
Architecture    : x86_64
URL             : https://launchpad.net/libqtelegram
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : qt5-base  qt5-multimedia
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 431.27 KiB
Installed Size  : 1999.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Wed 05 Apr 2017 07:16:39 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQt is a Telegram binding for Qt. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegram-qt
Repository      : community
Name            : telegram-qt
Version         : 0.1.0-2
Description     : Qt bindings for the Telegram protocol
Architecture    : x86_64
URL             : https://github.com/Kaffeine/telegram-qt
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-base
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 204.80 KiB
Installed Size  : 747.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 18 Feb 2017 06:49:55 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
TelegramQML are Telegram API tools for QtQml and Qml. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telegramqml
Repository      : community
Name            : telegramqml
Version         : 0.9.2-2
Description     : Telegram API tools for QtQml and Qml
Architecture    : x86_64
URL             : https://github.com/Aseman-Land/TelegramQML
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : qt5-webkit  qt5-imageformats  qt5-graphicaleffects  qt5-quickcontrols  libqtelegram-ae
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 401.03 KiB
Installed Size  : 1905.00 KiB
Packager        : Jiachen Yang <farseerfc@gmail.com>
Build Date      : Mon 25 Jan 2016 05:46:59 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
Telepathy-Morse is a Qt-based Telegram connection manager for the Telepathy framework. It is free software, however uses Telegram, a nonfree server-side service that requires accounts tied to telephone numbers. It needs go to the blacklist since Hyperbola’s objective is to support privacy of its community.

Additional info:

$ pacman -Si telepathy-morse
Repository      : community
Name            : telepathy-morse
Version         : 0.1.0-1
Description     : Telepathy Connection Manager for the Telegram network
Architecture    : x86_64
URL             : https://github.com/TelepathyQt/telepathy-morse
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : telepathy-qt5  telegram-qt
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 90.80 KiB
Installed Size  : 351.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Fri 16 Sep 2016 11:49:33 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

Description:
telepathy-kde-accounts-kcm contains the telepathy-morse package in its optdepends array. It should be removed since Telepathy-Morse provides support for Telegram, a nonfree server-side service that requires accounts tied to telephone numbers.

Additional info:

$ pacman -Si telepathy-kde-accounts-kcm
Repository      : extra
Name            : telepathy-kde-accounts-kcm
Version         : 17.04.0-1
Description     : KCM Module for configuring Telepathy Instant Messaging Accounts
Architecture    : x86_64
URL             : https://community.kde.org/Real-Time_Communication_and_Collaboration
Licenses        : GPL
Groups          : kde-applications  kdenetwork  telepathy-kde
Provides        : None
Depends On      : telepathy-qt  kaccounts-providers
Optional Deps   : telepathy-gabble: XMPP/Jabber accounts support
                  telepathy-haze: account types supported by Pidgin/libpurple
                  telepathy-morse: Telegram accounts support
                  telepathy-salut: link-local XMPP account support
Conflicts With  : None
Replaces        : None
Download Size   : 334.86 KiB
Installed Size  : 2111.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Sat 15 Apr 2017 06:47:59 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

The current version of BleachBit needs to be adapted so it can clean the new .cache/hyperbola/ directory.

Since DNSCrypt-Proxy project has been abandoned [0] , DNSCrypt-Proxy 2 [1] should be used as its source replacement, however DNSCrypt-Proxy 2 contains support for unsafe and dangerous for privacy protocols such as Google. [2] [3] [4] Also, it contains Google recommendation and support through its parental control servers and public resolvers lists [5] [6]

Therefore DNSCrypt-Proxy 2 requires be re-forked by us first to follow our social contract.

Since Linux 4.14, the in-tree kernel firmware was dropped[0][1], and Hyperbola uses linux-libre-lts-firmware from 4.9 which still supports that firmware.

However, I’d like to request upgrading to the new libre replacement of linux-firmware.git: linux-libre-firmware[2][3].

This version has no LTS releases (well, firmwares commonly don’t have LTS versions and the in-tree firmware was always the same in post-4.9 generations), but it has the same firmwares as Linux-libre-lts plus some others.

This is the list of firmware files in linux-libre-lts-firmware and its dependencies:

linux-libre-lts-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw

ath9k-htc-firmware
---
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw

openfwwf
---
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw

And here are the firmware files of the new linux-libre-firmware:

linux-libre-firmware
---
/usr/lib/firmware/av7110/bootcode.bin
/usr/lib/firmware/b43-open/b0g0bsinitvals5.fw
/usr/lib/firmware/b43-open/b0g0initvals5.fw
/usr/lib/firmware/b43-open/ucode5.fw
/usr/lib/firmware/carl9170-1.fw
/usr/lib/firmware/cis/3CCFEM556.cis
/usr/lib/firmware/cis/3CXEM556.cis
/usr/lib/firmware/cis/COMpad2.cis
/usr/lib/firmware/cis/COMpad4.cis
/usr/lib/firmware/cis/DP83903.cis
/usr/lib/firmware/cis/LA-PCM.cis
/usr/lib/firmware/cis/MT5634ZLX.cis
/usr/lib/firmware/cis/NE2K.cis
/usr/lib/firmware/cis/PCMLM28.cis
/usr/lib/firmware/cis/PE-200.cis
/usr/lib/firmware/cis/PE520.cis
/usr/lib/firmware/cis/RS-COM-2P.cis
/usr/lib/firmware/cis/SW_555_SER.cis
/usr/lib/firmware/cis/SW_7xx_SER.cis
/usr/lib/firmware/cis/SW_8xx_SER.cis
/usr/lib/firmware/cis/tamarack.cis
/usr/lib/firmware/dsp56k/bootstrap.bin
/usr/lib/firmware/htc_7010.fw
/usr/lib/firmware/htc_9271.fw
/usr/lib/firmware/isci/isci_firmware.bin
/usr/lib/firmware/keyspan_pda/keyspan_pda.fw
/usr/lib/firmware/keyspan_pda/xircom_pgs.fw
/usr/lib/firmware/usbdux_firmware.bin
/usr/lib/firmware/usbduxfast_firmware.bin
/usr/lib/firmware/usbduxsigma_firmware.bin

It has openfwwf and ath9k-htc-firmware included, plus some others. If actual versions of Hyperbola don’t get the update at least consider it for future releases. You can get the new PKGBUILD[4] and its new build dependencies at Parabola’s abslibre.git libre tree[5]

The new dependencies are:

• sh-elf-gcc (which depends on sh-elf-binutils)

• sh-elf-newlib

• arm-linux-gnueabi-gcc (which depends on arm-linux-gnueabi-binutils)

• xtensa-unknown-elf-gcc (already at Hyperbola)

Sources:

[0] https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.14-Migrates-Out-FW
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38923a068c10fc36ca8f596d650d095ce390b85
[2] https://jxself.org/firmware/
[3] https://jxself.org/git/?p=linux-libre-firmware.git
[4] https://git.parabola.nu/abslibre.git/tree/libre/linux-libre-firmware
[5] https://git.parabola.nu/abslibre.git/tree/libre

Updated Note:

Since Linux-libre-firmware contains a lot of independent firmware, tools and assembly projects, it should be built from its official tarball separately and create a group called kernel-firmware to follow the our packaging guidelines. Tools and assembly projects shouldn’t be included in kernel-firmware since those ones are firmware dependencies.

Description:

• replace deprecated GNU Bazaar to Brezy for Canis Major

Additional info:

• bzr 2.7.0-2
• GNU Bazaar will be unmaintained (for now, there are only bug fixes)
• GNU Bazaar only supports Python 2.
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.
• Or use Tauthon (fork of Python 2.7) as dependency.

Note: It needs a provide: bazaar and brezy

Steps to reproduce:

• broken package

Description:

• replace deprecated Python 2 to Tauthon for Canis Major

Additional info:

• python 2.7.14-2.hyperbola1
• Python 2.7 is the end of the Python 2 line of development. [0]
• There never will be an official Python 2.8 release.

Steps to reproduce:

• Broken python2 packages.

Description: The package spamassassin has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 3.4.1-7

Description: The package opendkim has no further init-script for OpenRC and instead includes service-definitions for systemd

Additional info:
* package version(s) 2.10.3-4

Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:

> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014, with goals of modernizing the codebase, improving security, and applying best practice development processes.

It was forked from the OpenSSL in April 2014 as a response by OpenBSD developers to the Heartbleed security vulnerability in OpenSSL, [4] [5] [6] [7] with the aim of refactoring the OpenSSL code so as to provide a more secure implementation. [8]

As LibreSSL follow the same goals than Hyperbola Packaging Guidelines in stability and security concerns, it should be the default provider of SSL and TLS protocols for Hyperbola Project.