Packages

Please replace by avideo, preferably by a release which receives updates so that it can still function within kodi (the non-LTS version).

Replace by LTS version of avideo to follow Hyperbola Packaging Guidelines.

Require package: android-udev

* Add to /etc/udev/rules.d/51-android.rules

GROUP="uucp"

* Add the user to the group uucp

gpasswd -a username uucp

* Reboot

Package Information

$ pacman -Ql android-udev
android-udev /usr/
android-udev /usr/lib/
android-udev /usr/lib/udev/
android-udev /usr/lib/udev/rules.d/
android-udev /usr/lib/udev/rules.d/51-android.rules

Description:

• The Arch version of Sage-notebook from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required. OpenRC init script replacement isn’t possible here because Sage-notebook is using a systemd unit file adapted for users instead of system users.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : sage-notebook
Version         : 0.13-4
Description     : Browser-based notebook interface for SageMath
Architecture    : any
URL             : http://www.sagemath.org
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : sagemath  python2-twisted  python2-flask-oldsessions  python2-flask-openid  python2-flask-autoindex  python2-flask-babel  mathjax
Optional Deps   : python2-pyopenssl: to use the notebook in secure mode
Conflicts With  : None
Replaces        : None
Download Size   : 1625.00 KiB
Installed Size  : 9154.00 KiB
Packager        : Antonio Rojas <arojas@archlinux.org>
Build Date      : Thu 04 May 2017 06:12:28 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/user/sage.service is owned by sage-notebook 0.13-4

Steps to reproduce:

• Install package.

Description:

• The Arch version of Motion from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : motion
Version         : 4.0.1-2
Description     : A software motion detector which grabs images from video4linux devices and/or from webcams
Architecture    : x86_64
URL             : http://www.lavrsen.dk/foswiki/bin/view/Motion/WebHome
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : libjpeg  v4l-utils  ffmpeg
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 235.61 KiB
Installed Size  : 923.00 KiB
Packager        : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date      : Mon 14 Nov 2016 02:17:55 PM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/system/motion.service is owned by motion 4.0.1-2

Steps to reproduce:

• Install package.

Description:

• The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repository      : community
Name            : tinc
Version         : 1.0.31-2
Description     : VPN (Virtual Private Network) daemon
Architecture    : x86_64
URL             : http://www.tinc-vpn.org/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : lzo  openssl  zlib
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 107.42 KiB
Installed Size  : 194.00 KiB
Packager        : Evangelos Foutras <evangelos@foutrelis.com>
Build Date      : Mon 13 Mar 2017 01:06:11 AM -03
Validated By    : MD5 Sum  SHA-256 Sum  Signature

/usr/lib/systemd/system/tinc.service is owned by tinc 1.0.31-2
/usr/lib/systemd/system/tinc@.service is owned by tinc 1.0.31-2

Steps to reproduce:

• Install package.

Description:

The Arch version of tinc from the snapshot used by Hyperbola comes with systemd support. Since Hyperbola follows the Init Freedom Campaign , systemd unit files removal is required or add OpenRC init scripts to replace it.

Additional info:
* package version(s)
* config and/or log files etc.

Repositorio               : community
Nombre                    : netdata
Versión                   : 1.6.0-3
Descripción               : Real-time performance monitoring, in the greatest possible detail, over the web.
Arquitectura              : x86_64
URL                       : https://github.com/firehol/netdata/wiki
Licencias                 : GPL
Grupos                    : Nada
Provee                    : Nada
Depende de                : libmnl  libnetfilter_acct  zlib
Dependencias opcionales   : nodejs: Webbox plugin
                            lm_sensors: sensors module
En conflicto con          : Nada
Remplaza a                : Nada
Tamaño de la descarga     : 1778,98 KiB
Tamaño de la instalación  : 6515,00 KiB
Encargado                 : Sven-Hendrik Haase <sh@lutzhaase.com>
Fecha de creación         : dom 23 abr 2017 16:24:38 -05
Validado por              : Suma MD5  Suma SHA-256  Firma

community/netdata	/usr/lib/systemd/
community/netdata	/usr/lib/systemd/system/
community/netdata	/usr/lib/systemd/system/netdata.service

Steps to reproduce:

• Install package

Description:

• needs OpenRC init script (bzr serve), like [git] (git-daemon) and [subversion] (svnserve)

Additional info:

• bzr 2.7.0-2

Note: needs a provide: bazaar

Steps to reproduce:

• none

Description:

• Add new a Murmur package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

• based on murmur 1.2.19-5

Steps to reproduce:

• none

Description:

• Add an Asterisk package capable of working without a graphical user interface. It’s common on servers and embedded devices that requires only interfaces like network (eg. SSH) or serial port to handle services.

Additional info:

• based on asterisk 14.4.0-1

Steps to reproduce:

• none

Remove “gnome-mplayer”, “gecko-mediaplayer” and “gmtk” are unsecured/abandonware packages(released in 2014)
“gecko-mediaplayer” uses deprecated/unsecured NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si gnome-mplayer
Repository : community
Name : gnome-mplayer
Version : 1.0.9-4
Description : A simple MPlayer GUI.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gnomemplayer Licenses : GPL Groups : None
Provides : None
Depends On : mplayer dbus-glib libnotify gmtk
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 343.29 KiB
Installed Size : 1461.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:45:38 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gecko-mediaplayer
Repository : community
Name : gecko-mediaplayer
Version : 1.0.9-3
Description : Browser plugin that uses gnome-mplayer to play media in a web browser.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gecko-mediaplayer Licenses : GPL Groups : None
Provides : None
Depends On : gnome-mplayer>=1.0.9 dbus-glib gmtk curl
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 80.92 KiB
Installed Size : 598.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:36:31 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Si gmtk
Repository : community
Name : gmtk
Version : 1.0.9-3
Description : Common functions for gnome-mplayer and gecko-mediaplayer.
Architecture : x86_64
URL : https://sites.google.com/site/kdekorte2/gmtk Licenses : GPL Groups : None
Provides : None
Depends On : glib2 gtk3 dconf
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 73.85 KiB
Installed Size : 246.00 KiB
Packager : Balló György <ballogyor+arch@gmail.com>
Build Date : Sun 22 Jan 2017 04:50:49 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “libFreeWRLplugin.so”, uses deprecated/unsecure NPAPI[0] and XULRunner[1][2] apis

$ pacman -Si freewrl
Repository : community
Name : freewrl
Version : 1:2.3.3-1
Description : VRML viewer
Architecture : x86_64
URL : http://freewrl.sourceforge.net/ Licenses : GPL Groups : None
Provides : None
Depends On : java-runtime libxaw glew freeglut curl freetype2 imlib2 sox unzip imagemagick libxml2 ttf-bitstream-vera lesstif js185 glu openal

                freealut

Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 583.49 KiB
Installed Size : 2060.00 KiB
Packager : Sergej Pupykin <pupykin.s+arch@gmail.com>
Build Date : Mon 19 Dec 2016 10:31:49 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ sudo pacman -Ql freewrl
freewrl /usr/
freewrl /usr/bin/
freewrl /usr/bin/freewrl
freewrl /usr/bin/freewrl_msg
freewrl /usr/bin/freewrl_snd
freewrl /usr/include/
freewrl /usr/include/FreeWRLEAI/
freewrl /usr/include/FreeWRLEAI/EAIHeaders.h
freewrl /usr/include/FreeWRLEAI/EAI_C.h
freewrl /usr/include/FreeWRLEAI/GeneratedHeaders.h
freewrl /usr/include/FreeWRLEAI/X3DNode.h
freewrl /usr/include/libFreeWRL.h
freewrl /usr/lib/
freewrl /usr/lib/libFreeWRL.so
freewrl /usr/lib/libFreeWRL.so.2
freewrl /usr/lib/libFreeWRL.so.2.3.3
freewrl /usr/lib/libFreeWRLEAI.so
freewrl /usr/lib/libFreeWRLEAI.so.2
freewrl /usr/lib/libFreeWRLEAI.so.2.3.3
freewrl /usr/lib/mozilla/
freewrl /usr/lib/mozilla/plugins/
freewrl /usr/lib/mozilla/plugins/libFreeWRLplugin.so
freewrl /usr/lib/pkgconfig/
freewrl /usr/lib/pkgconfig/libFreeWRL.pc
freewrl /usr/lib/pkgconfig/libFreeWRLEAI.pc
freewrl /usr/share/
freewrl /usr/share/applications/
freewrl /usr/share/applications/freewrl.desktop
freewrl /usr/share/man/
freewrl /usr/share/man/man1/
freewrl /usr/share/man/man1/freewrl.1.gz
freewrl /usr/share/pixmaps/
freewrl /usr/share/pixmaps/freewrl.png

[0]:https://developer.mozilla.org/en-US/docs/Plugins/Roadmap [1]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [2]:https://tracker.debian.org/pkg/xulrunner

Remove “xulrunner”[0][1] is unsecure/abandonware package

$ pacman -Si xulrunner
Repository : community
Name : xulrunner
Version : 41.0.2-10
Description : Mozilla Runtime Environment
Architecture : x86_64
URL : http://wiki.mozilla.org/XUL:Xul_Runner Licenses : MPL GPL LGPL Groups : None
Provides : None
Depends On : gtk2 mozilla-common nss>3.18 libxt hunspell startup-notification mime-types dbus-glib libpulse libevent libvpx icu python2
Optional Deps : None
Conflicts With : None
Replaces : xulrunner-oss
Download Size : 47.38 MiB
Installed Size : 171.99 MiB
Packager : Evangelos Foutras evangelos@foutrelis.com Build Date : Wed 26 Apr 2017 03:10:07 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://hearsum.ca/blog/mozilla-will-stop-producing-automated-builds-of-xulrunner-after-the-410-cycle.html [1]:https://tracker.debian.org/pkg/xulrunner

Cataclysm-DDA contains a problematic license[0][1][2] for software.
Uses “Creative Commons Attribution-ShareAlike 3.0 Unported License”.

$ pacman -Si cataclysm-dda
Repository : community
Name : cataclysm-dda
Version : 0.C-3
Description : A post-apocalyptic roguelike.
Architecture : x86_64
URL : http://en.cataclysmdda.com/ Licenses : CCPL:by-sa
Groups : None
Provides : None
Depends On : ncurses lua
Optional Deps : sdl2_image: for tiles

                sdl2_ttf: for tiles
                freetype2: for tiles
                sdl2_mixer: for tiles

Conflicts With : None
Replaces : None
Download Size : 19.33 MiB
Installed Size : 53.32 MiB
Packager : Felix Yan felixonmars@archlinux.org Build Date : Mon 07 Dec 2015 03:14:02 AM -03
Validated By : MD5 Sum SHA-256 Sum Signature

[0]:https://github.com/CleverRaven/Cataclysm-DDA/blob/master/LICENSE.txt [1]:https://creativecommons.org/faq/#can-i-apply-a-creative-commons-license-to-software [2]:https://www.gnu.org/licenses/license-list.html#ccbysa

The developer team is discussing the removal of Midori from Debian repositories.

Jeremy Bicha says:

> The final stable release of Midori still uses the unmaintained WebKit1
> instead of webkit2gtk and therefore the browser suffers from numerous
> known security vulnerabilities. Midori now fails to build with vala
> 0.36 which is in Ubuntu 17.10 Alpha and will be in Debian unstable
> once it clears the Debian new queue.
> https://launchpad.net/bugs/1698483 .

See a complete discussion here.

w3m is an unmaintained and unsuportable software, the latest release was 0.5.3 (2011)[0][1][2][3]

$ pacman -Qi w3m
Name : w3m
Version : 0.5.3.git20170102-2
Description : Text-based Web browser, as well as pager
Architecture : x86_64
URL : http://w3m.sourceforge.net/ Licenses : custom
Groups : None
Provides : None
Depends On : openssl gc ncurses gpm
Optional Deps : imlib2: for graphics support [installed]
Required By : None
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 1784.00 KiB
Packager : Jan de Groot jgc@archlinux.org Build Date : Sat 04 Mar 2017 07:12:38 PM -03
Install Date : Tue 12 Sep 2017 03:43:25 AM -03
Install Reason : Explicitly installed
Install Script : No
Validated By : Signature

[0]:https://sourceforge.net/projects/w3m/files/w3m/ [1]:https://security.archlinux.org/package/w3m [2]:https://tracker.debian.org/pkg/w3m [3]:https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/w3m

pam_unix2 was removed from Debian Jessie because it’s buggy and unmaintained [0]

It’s included inside pam package and should be removed since it doesn’t comes from official source. Also the original upstream FTP directory (ftp://ftp.suse.com/people/kukuk/pam/pam_unix2) has disappeared.

[0]:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628848

$ pacman -Si pam
Repository : core
Name : pam
Version : 1.3.0-1
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org Licenses : GPL2
Groups : None
Provides : None
Depends On : glibc cracklib libtirpc pambase
Optional Deps : None
Conflicts With : None
Replaces : None
Download Size : 609.71 KiB
Installed Size : 2980.00 KiB
Packager : Tobias Powalowski tpowa@archlinux.org Build Date : Thu 09 Jun 2016 02:44:03 PM -03
Validated By : MD5 Sum SHA-256 Sum Signature

$ pacman -Ql pam > pam_fileslist.txt

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

https://w1.fi/security/2017-1/

Arch just patched: https://www.archlinux.org/packages/core/i686/wpa_supplicant/

Please move dillo to blacklist. Please enable IPv6, SSL/TLS and threaded DNS support.

1- Arch PKGBUILD problems:

 a- not obtain source via https
 b- not compiled with support --enable-ipv6 --enable-threaded-dns --enable-ssl 

My correction is committed in NAB-packages-community

Abiword supports the defunct AltaVista’s Babel Fish translator which queries are redirected to the main Yahoo! page.

...

build() {
  cd $pkgname-$pkgver
  ./configure --prefix=/usr \
    --enable-shared \
    --disable-static \
    --enable-clipart \
    --enable-templates \
    --enable-plugins="aiksaurus applix **babelfish** bmp clarisworks collab docbook \
                      eml epub freetranslation garble gdict gimp goffice grammar \
                      hancom hrtext iscii kword latex loadbindings mathview mht \
                      mif mswrite opendocument openwriter openxml opml ots paint \
                      passepartout pdb pdf presentation psion s5 sdw t602 urldict \
                      wikipedia wmf wml wordperfect wpg xslfo" \
    --enable-introspection
  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

...

Add missing /boot/config-linux-libre-* useful for applications such as Xen.

Libreoffice contains Google API keys which affects privacy.

The aarch64-linux-gnu-linux-api-headers from [community] is compiled using the blobbed Linux kernel sources[0], and in Parabola it has been replaced with aarch64-linux-gnu-linux-libre-api-headers[1].
This issue is exactly the same as linux-api-headers, so it should be blacklisted and replaced using the Linux-libre source.

[0] https://git.archlinux.org/svntogit/community.git/plain/aarch64-linux-gnu-linux-api-headers/trunk/PKGBUILD

[1]https://git.parabola.nu/abslibre.git/commit/?id=acaa4ba9c0bc77deb6b77e4dad815f66c673d662

Multiple CVEs. Unprivileged programs can gain access to a hardware bug in the CPU, and thereby initiate memory dumps and other low-level attacks.

Our current version is vulnerable

/etc/init.d/net-online
-----
Line #62
ping_test_host="${ping_test_host:-google.com}"
_____
/etc/conf.d/net-online
-----
# The default is google.com.