From lukeshu at sbcglobal.net  Thu Jun  4 03:06:05 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Wed, 03 Jun 2015 21:06:05 -0600
Subject: [Dev] [Urgent] Mirroring Policy
In-Reply-To: <877frojq04.fsf@endefensadelsl.org>
References: <20150530203353.7d78c7f65afdea643a3f979d@hacari.org>
 <871thxu6g2.wl-lukeshu@sbcglobal.net>
 <87h9qslv0n.fsf@endefensadelsl.org> <556B2577.1050904@t67.eu>
 <87d21gjq20.fsf@endefensadelsl.org>
 <87a8wkjq0p.fsf@endefensadelsl.org>
 <877frojq04.fsf@endefensadelsl.org>
Message-ID: <87mw0gmaua.wl-lukeshu@sbcglobal.net>

On Sun, 31 May 2015 17:17:47 -0600,
Nicol?s Reynolds wrote:
> 
> [1  <multipart/signed (7bit)>]
> [1.1  <text/plain; utf-8 (quoted-printable)>]
> Nicol?s Reynolds <fauno at endefensadelsl.org> writes:
> 
> > Nicol?s Reynolds <fauno at endefensadelsl.org> writes:
> >
> >> Joseph Graham <joseph at t67.eu> writes:
> >>>
> >>> Best solution:
> >>>
> >>> Get rid of all parabola mirrors. Modify the repo database format to
> >>> include whether it's an unmodified arch package or not. Include arch
> >>> mirrorlist. Make a pacman plugin which fetches the package from arch
> >>> mirrors if it's an arch package or our server if it's just a Parabola
> >>> package.

There's no modification needed for that, if $filename =~
/(core|extra|community)/*.pkg.* , then an Arch mirror is fine.
Otherwise it's not.  If you want to know at the pool level, files in
the "packages" and "community" pools are unmodified from Arch, the
"parabola" pool is the only one with our files.

> >> but this and probably my propposal would collide with FSDG requirement
> >> of self-hosting.

We could have an hackyrepo.parabola.nu that does a 301 to an Arch
mirror for Arch packages.  The main repo would still serve the files.

Or a load-balancing repomirror.parabola.nu could include Arch mirrors
for files from Arch.  That's the best option I think.

Which reminds my of my desire that nginx have the ability to turn
symlinks into 302 requests iff the target is in the web root.

--
Happy hacking,
~ Luke Shumaker


From nobody at parabola.nu  Fri Jun  5 15:13:23 2015
From: nobody at parabola.nu (Parabola Website Notification)
Date: Fri, 05 Jun 2015 15:13:23 -0000
Subject: [Dev] Orphan Libre package [apache-ant] marked out-of-date
Message-ID: <20150605151323.540.84289@parabola.nu>

emulatorman at riseup.net wants to notify you that the following packages may be out-of-date:


* apache-ant 1.9.4-3.parabola1 [libre] (any): https://parabolagnulinux.org/packages/libre/any/apache-ant/


The user provided the following additional text:

new upstream version request (1.9.5)



From joseph at t67.eu  Sat Jun  6 14:05:07 2015
From: joseph at t67.eu (Joseph Graham)
Date: Sat, 06 Jun 2015 15:05:07 +0100
Subject: [Dev] Why don't we use a proper certificate?
Message-ID: <5572FE13.3070908@t67.eu>

Please upgrade to a proper cert, CaCert is even less secure than a
commercial cert provider and they keys are not included in most browsers.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150606/e4eabab3/attachment.sig>

From mtjm at mtjm.eu  Sat Jun  6 14:38:10 2015
From: mtjm at mtjm.eu (=?utf-8?Q?Micha=C5=82_Mas=C5=82owski?=)
Date: Sat, 06 Jun 2015 16:38:10 +0200
Subject: [Dev] Why don't we use a proper certificate?
In-Reply-To: <5572FE13.3070908@t67.eu> (Joseph Graham's message of "Sat, 06
 Jun 2015 15:05:07 +0100")
References: <5572FE13.3070908@t67.eu>
Message-ID: <87twuk7vhp.fsf@elros.vpn.mtjm.eu>

> Please upgrade to a proper cert, CaCert is even less secure than a
> commercial cert provider and they keys are not included in most browsers.

Please document upgrade procedure, what certificates and for how much
money we need.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150606/c170b88a/attachment.sig>

From isacdaavid at isacdaavid.info  Sat Jun  6 19:35:04 2015
From: isacdaavid at isacdaavid.info (Isaac David)
Date: Sat, 06 Jun 2015 14:35:04 -0500
Subject: [Dev] Why don't we use a proper certificate?
In-Reply-To: <87twuk7vhp.fsf@elros.vpn.mtjm.eu>
References: <5572FE13.3070908@t67.eu>
 <Joseph Graham's message of "Sat, 06 Jun 2015 15:05:07 +0100">
Message-ID: <1433619304.5006.0@plebeian.isacdaavid.info>

It would be better to wait a bit more for the arrival of Let's Encrypt. 
It's a new certificate authority backed by the EFF and Mozilla that 
aims to increase the use of encryption by providing gratis automated 
certificates through free software tools. It is not clear yet whether 
their certificates will support subdomain wildcards, but they say they 
will at least support Subject Alternative Names. I think that will 
suffice for Parabola and its subdomains.

Le sam. 6 juin 2015 ? 9:38, Micha? Mas?owski <mtjm at mtjm.eu> a ?crit 
:
>>  Please upgrade to a proper cert, CaCert is even less secure than a
>>  commercial cert provider and they keys are not included in most 
>> browsers.
> 
> Please document upgrade procedure, what certificates and for how much
> money we need.
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150606/a23ef3b8/attachment.htm>

From fabio at pesari.eu  Sat Jun  6 19:45:26 2015
From: fabio at pesari.eu (Fabio Pesari)
Date: Sat, 06 Jun 2015 21:45:26 +0200
Subject: [Dev] Why don't we use a proper certificate?
In-Reply-To: <1433619304.5006.0@plebeian.isacdaavid.info>
References: <5572FE13.3070908@t67.eu> <Joseph Graham's message of "Sat,
 06 Jun 2015 15:05:07 +0100">
 <1433619304.5006.0@plebeian.isacdaavid.info>
Message-ID: <55734DD6.20406@pesari.eu>

On 06/06/2015 09:35 PM, Isaac David wrote:
> It would be better to wait a bit more for the arrival of Let's Encrypt. 
> It's a new certificate authority backed by the EFF and Mozilla that 
> aims to increase the use of encryption by providing gratis automated 
> certificates through free software tools. It is not clear yet whether 
> their certificates will support subdomain wildcards, but they say they 
> will at least support Subject Alternative Names. I think that will 
> suffice for Parabola and its subdomains.

I agree - we actually already had this discussion on this list a while
ago, and back then we reached the same conclusion.


From joseph at t67.eu  Sat Jun  6 19:47:59 2015
From: joseph at t67.eu (Joseph Graham)
Date: Sat, 06 Jun 2015 20:47:59 +0100
Subject: [Dev] Why don't we use a proper certificate?
In-Reply-To: <55734DD6.20406@pesari.eu>
References: <5572FE13.3070908@t67.eu> <Joseph Graham's message of "Sat,
 06 Jun 2015 15:05:07 +0100">
 <1433619304.5006.0@plebeian.isacdaavid.info> <55734DD6.20406@pesari.eu>
Message-ID: <55734E6F.2020401@t67.eu>

On 06/06/15 20:45, Fabio Pesari wrote:
> On 06/06/2015 09:35 PM, Isaac David wrote:
>> It would be better to wait a bit more for the arrival of Let's Encrypt. 
>> It's a new certificate authority backed by the EFF and Mozilla that 
>> aims to increase the use of encryption by providing gratis automated 
>> certificates through free software tools. It is not clear yet whether 
>> their certificates will support subdomain wildcards, but they say they 
>> will at least support Subject Alternative Names. I think that will 
>> suffice for Parabola and its subdomains.
> 
> I agree - we actually already had this discussion on this list a while
> ago, and back then we reached the same conclusion.
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev
> 
Oh

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150606/a7828f3e/attachment.sig>

From lukeshu at sbcglobal.net  Sat Jun  6 19:48:54 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Sat, 06 Jun 2015 13:48:54 -0600
Subject: [Dev] Why don't we use a proper certificate?
In-Reply-To: <5572FE13.3070908@t67.eu>
References: <5572FE13.3070908@t67.eu>
Message-ID: <87eglomxcp.wl-lukeshu@sbcglobal.net>

On Sat, 06 Jun 2015 08:05:07 -0600,
Joseph Graham wrote:
> 
> Please upgrade to a proper cert, CaCert is even less secure than a
> commercial cert provider and they keys are not included in most browsers.

When Parabola adopted CAcert as our CA, it was trusted by most major
distros.  It is trusted by Arch Linux today (though when Debian
dropped CAcert, Arch briefly followed suit), where most of our new
users come from^[citation-needed].

CAcert has not been properly audited (the reason for exclusion by
Mozilla), but that does not mean that they are entirely less secure.
We have seen major breaches by "commercial cert provider[s]";
CNNIC/MCS (2015), India's NIC (2014), Comodo (2011).  These breaches
all come from a mis-behaving intermediate CA.  CAcert is its own
intermediate CA; this type of breach cannot happen to CAcert.  The
lack of an audit means that fewer things are provable about the
security, not that it is nescessariuly less secure.

Even if CAcert were verifiably less secure, we would still be
interested in using them.  They are the only community run CA--as I'm
sure you have realized, community is highly valued by Parabola.  While
we are pleased with the IETF's recent push towards "use TLS for all
the things", it has created more centralization on a few root CAs,
whose dominance raises the barrier for entry to participating on the
WWW as a publisher.  Even StartSSL, who provides gratis personal-use
certificates, charges for revocations; undermining the point.  We need
a community CA, and right now CAcert is the only one.

That said, we do plan on getting certs from Let's Encrypt when they
become available ("Mid-2015").  Let's Encrypt certs will be recognized
by most browsers and operating systems.  Though not entirely
community-run, they have engaged and involved the community, and are
producing free software to make it possible to opperate an autitable
and secure CA--a boon for everyone.

--
Happy hacking,
~ Luke Shumaker


From fauno at endefensadelsl.org  Sun Jun  7 15:57:54 2015
From: fauno at endefensadelsl.org (fauno)
Date: Sun, 07 Jun 2015 12:57:54 -0300
Subject: [Dev] error in repo while cleaning up
Message-ID: <87r3pnqznh.fsf@endefensadelsl.org>


it seems there're faulty symlinks on the iso dir

-- 
P)

-------------------- Start of forwarded message --------------------
From: "(Cron Daemon)" <repo at repo.parabola.nu>
Auto-Submitted: auto-generated
Date: Sun,  7 Jun 2015 14:20:32 +0100 (BST)
Subject: [Maintenance] Cron <repo at parabola> /usr/bin/cronic bash -c
	'/home/repo/dbscripts/db-cleanup 2>&1'

Cronic detected failure or error output for the command:
bash -c /home/repo/dbscripts/db-cleanup 2>&1

RESULT CODE: 1

ERROR OUTPUT:

STANDARD OUTPUT:

[snip]

Removing dead symlinks:
find: `/srv/repo/main/iso/2015.02.28/2015.05.01': Too many levels of symbolic links
/srv/repo/main/kernels/os/i686/linux-libre-pae-headers-4.0.4_gnu-1-i686.pkg.tar.xz.sig

[snip}

==> ERROR: An unknown error has occurred. Exiting...
_______________________________________________
Maintenance mailing list
Maintenance at lists.parabola.nu
https://lists.parabola.nu/mailman/listinfo/maintenance
-------------------- End of forwarded message --------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150607/063107bb/attachment.sig>

From lukeshu at sbcglobal.net  Mon Jun  8 03:19:48 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Sun, 07 Jun 2015 21:19:48 -0600
Subject: [Dev] libretools 20150607 release announcement
Message-ID: <878ubunay3.wl-lukeshu@sbcglobal.net>


I just released libretools 20150607 to [libre].  It's principally does
two things:
 1. Fixes bugs
 2. Removes old code

Changes from 20150526 to 20150607:
 * libremessages:flag: An argument that would be interpretted as a
   flag that ends with a colon is now interpretted as a sub-heading.
 * librexgettext: Support the changes to libremessages:flag above, as
   well as the changes introduced in v20150526.
 * librefetch: Correctly generate .sig files with GPG, instead of
   trying to use makepkg to make a tarball.
   https://labs.parabola.nu/issues/732
 * xbs-abs: Fix the error message when checking for unconfigured
   variables.
 * Remove treepkg and the fullpkg suite.  They have been deprecated in
   favor of dagpkg

Things removed from 20150526 to 20150607:
 * Remove the `toru` tool; it's functionality has been replaced by
   `toru-path` and `toru-where`.  `toru` used plain-text caches,
   `toru-path` and `toru-where` use a much faster Tokyo Cabinet cache.
 * Remove the mips64el-tools (the libretools-mips64el package).  We
   dropped MIPS support a while ago.

I'd especially appreciate contributions of unit tests for toru and
dagpkg.

-- 
Happy hacking,
~ Luke Shumaker


From fauno at endefensadelsl.org  Mon Jun  8 04:01:42 2015
From: fauno at endefensadelsl.org (=?utf-8?Q?Nicol=C3=A1s?= Reynolds)
Date: Mon, 08 Jun 2015 01:01:42 -0300
Subject: [Dev] libretools 20150607 release announcement
In-Reply-To: <878ubunay3.wl-lukeshu@sbcglobal.net>
References: <878ubunay3.wl-lukeshu@sbcglobal.net>
Message-ID: <87k2veq255.fsf@endefensadelsl.org>

Luke Shumaker <lukeshu at sbcglobal.net> writes:

> I'd especially appreciate contributions of unit tests for toru and
> dagpkg.

are these adapted to use libremakepkg when needed?

-- 
:>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150608/0b68a823/attachment.sig>

From lukeshu at sbcglobal.net  Mon Jun  8 05:47:28 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Sun, 07 Jun 2015 23:47:28 -0600
Subject: [Dev] libretools 20150607 release announcement
In-Reply-To: <87k2veq255.fsf@endefensadelsl.org>
References: <878ubunay3.wl-lukeshu@sbcglobal.net>
 <87k2veq255.fsf@endefensadelsl.org>
Message-ID: <87616yn43z.wl-lukeshu@sbcglobal.net>

On Sun, 07 Jun 2015 22:01:42 -0600,
Nicol?s Reynolds wrote:
> 
> [1  <multipart/signed (7bit)>]
> [1.1  <text/plain (quoted-printable)>]
> Luke Shumaker <lukeshu at sbcglobal.net> writes:
> 
> > I'd especially appreciate contributions of unit tests for toru and
> > dagpkg.
> 
> are these adapted to use libremakepkg when needed?

Yes.

dagpkg run libretools.conf:FULLBUILDCMD which is 'sudo libremakepkg' by
default.  So right there there's a way to do a light-weight shim.

Tests may use librechroot/libremakepkg fairly freely, provided that
you:
 1. use `testsudo` instead of normal `sudo`
 2. put `_after_sudo` in the test file's `after()` function
 3. put `_setup_chrootdir` in the test file
 4. set up $XDG_CONFIG_HOME/libretools/chroot.conf for your test.  The
    appropriate value for CHROOTDIR is availabe in the '$chrootdir'
    variable after _setup_chrootdir has been run.

See librechroot-test.sh and libremakepkg-test.sh for examples.

--
Happy hacking,
~ Luke Shumaker


From fauno at endefensadelsl.org  Mon Jun  8 13:23:07 2015
From: fauno at endefensadelsl.org (=?utf-8?Q?Nicol=C3=A1s?= Reynolds)
Date: Mon, 08 Jun 2015 10:23:07 -0300
Subject: [Dev] libretools 20150607 release announcement
In-Reply-To: <878ubunay3.wl-lukeshu@sbcglobal.net>
References: <878ubunay3.wl-lukeshu@sbcglobal.net>
Message-ID: <87eglmpc5g.fsf@endefensadelsl.org>

Luke Shumaker <lukeshu at sbcglobal.net> writes:

> I just released libretools 20150607 to [libre].  It's principally does
> two things:
>  1. Fixes bugs
>  2. Removes old code

related: are you planning something for abslibre and aur4?


-- 
http://partidopirata.com.ar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150608/301b0659/attachment.sig>

From lukeshu at sbcglobal.net  Mon Jun  8 18:33:52 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Mon, 08 Jun 2015 12:33:52 -0600
Subject: [Dev] libretools 20150607 release announcement
In-Reply-To: <87eglmpc5g.fsf@endefensadelsl.org>
References: <878ubunay3.wl-lukeshu@sbcglobal.net>
 <87eglmpc5g.fsf@endefensadelsl.org>
Message-ID: <873822m4mn.wl-lukeshu@sbcglobal.net>

On Mon, 08 Jun 2015 07:23:07 -0600,
Nicol?s Reynolds wrote:
> 
> [1  <multipart/signed (7bit)>]
> [1.1  <text/plain (quoted-printable)>]
> Luke Shumaker <lukeshu at sbcglobal.net> writes:
> 
> > I just released libretools 20150607 to [libre].  It's principally does
> > two things:
> >  1. Fixes bugs
> >  2. Removes old code
> 
> related: are you planning something for abslibre and aur4?

Yes and no.

What I've been working toward is having everything use XBS, so we can
get a lot more flexibility for free.  One would just need to write a
/lib/xbs/helper-aur4 to get AUR4 support in all of the tools.  But I
was already working on that.

I haven't spent a bunch of time looking at AUR4 (though congrats to
Lukas--he's been doing a bunch of exciting things with the AUR
software).  However, it looks like if we ever roll out PBS, the
structure is similar enough that integrating with AUR will become a
lot nicer.

--
Happy hacking,
~ Luke Shumaker


From tct at ceata.org  Tue Jun  9 23:01:05 2015
From: tct at ceata.org (Tiberiu-Cezar Tehnoetic)
Date: Wed, 10 Jun 2015 02:01:05 +0300
Subject: [Dev] [donations] [due 2016-06-12] delegate's succession
In-Reply-To: <87d21jm2qq.fsf@endefensadelsl.org>
References: <87d21jm2qq.fsf@endefensadelsl.org>
Message-ID: <55777031.7050409@ceata.org>

Hi,

On 30.05.2015 01:35, fauno wrote:
> the modifications we discussed in this list are in this pad[^0]

Last week I've been asked to comment on the modifications and so I did
just now.

> [^0]: https://pad.partidopirata.com.ar/p/Ceata+Parabola

Thanks for the good work, looking forward for the final proposal.

-- 
Tiberiu-Cezar Tehnoetic | Pre?edinte, Funda?ia Ceata
GPG: 900CECE2 | Tel: +40-761-810-100

Sus?ii libertatea artelor ?i tehnologiilor?
?nscrie-te ca membru: http://ceata.org/inscrieri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150610/2e7c9745/attachment.sig>

From tct at ceata.org  Tue Jun  9 23:07:26 2015
From: tct at ceata.org (Tiberiu-Cezar Tehnoetic)
Date: Wed, 10 Jun 2015 02:07:26 +0300
Subject: [Dev] Mailing list for Romanian-speaking Parabola user community ?
Message-ID: <557771AE.5090704@ceata.org>

Hi,

Would you agree to add an official user mailing list for the growing
Romanian-speaking Parabola community?

https://lists.parabola.nu/mailman/listinfo

We already have an official Trisquel forum in Romanian:

http://trisquel.info/en/forum/trisquel-utilizatori

Thanks in advance for considering this. However, please feel free to
reject this proposal if it's not according to your policy to have user
mailing lists in different languages or don't think it's a good idea.
This proposal is *not* related to Ceata/Parabola fiscal sponsorship
contract.

-- 
Tiberiu-Cezar Tehnoetic | Pre?edinte, Funda?ia Ceata
GPG: 900CECE2 | Tel: +40-761-810-100

Sus?ii libertatea artelor ?i tehnologiilor?
?nscrie-te ca membru: http://ceata.org/inscrieri


From fauno at endefensadelsl.org  Tue Jun  9 23:29:30 2015
From: fauno at endefensadelsl.org (=?utf-8?Q?Nicol=C3=A1s?= Reynolds)
Date: Tue, 09 Jun 2015 20:29:30 -0300
Subject: [Dev] Mailing list for Romanian-speaking Parabola user
	community ?
In-Reply-To: <557771AE.5090704@ceata.org>
References: <557771AE.5090704@ceata.org>
Message-ID: <87ioawmpet.fsf@endefensadelsl.org>

Tiberiu-Cezar Tehnoetic <tct at ceata.org> writes:

> Hi,
>
> Would you agree to add an official user mailing list for the growing
> Romanian-speaking Parabola community?
>
> https://lists.parabola.nu/mailman/listinfo
>
> We already have an official Trisquel forum in Romanian:
>
> http://trisquel.info/en/forum/trisquel-utilizatori
>
> Thanks in advance for considering this. However, please feel free to
> reject this proposal if it's not according to your policy to have user
> mailing lists in different languages or don't think it's a good idea.
> This proposal is *not* related to Ceata/Parabola fiscal sponsorship
> contract.

the language policy on the irc channel is to let people communicate in
the language they want, though we never discussed this for mailing
lists.


-- 
P)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150609/102cbae5/attachment.sig>

From nobody at parabola.nu  Thu Jun 11 06:50:40 2015
From: nobody at parabola.nu (Parabola Website Notification)
Date: Thu, 11 Jun 2015 06:50:40 -0000
Subject: [Dev] Orphan Libre package [handbrake] marked out-of-date
Message-ID: <20150611065040.539.3616@parabola.nu>

alessi at robertalessi.net wants to notify you that the following packages may be out-of-date:


* handbrake 0.10.1-2.parabola1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/handbrake/
* handbrake 0.10.1-2.parabola1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/handbrake/
* handbrake-cli 0.10.1-2.parabola1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/handbrake-cli/
* handbrake-cli 0.10.1-2.parabola1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/handbrake-cli/


The user provided the following additional text:

Needs to be recompiled with x265 1.7-1. Thanks.



From fauno at endefensadelsl.org  Thu Jun 11 17:01:37 2015
From: fauno at endefensadelsl.org (=?utf-8?Q?Nicol=C3=A1s?= Reynolds)
Date: Thu, 11 Jun 2015 14:01:37 -0300
Subject: [Dev] [donations] [due 2016-06-12] delegate's succession
In-Reply-To: <55777031.7050409@ceata.org>
References: <87d21jm2qq.fsf@endefensadelsl.org> <55777031.7050409@ceata.org>
Message-ID: <87twuei3gu.fsf@endefensadelsl.org>

Tiberiu-Cezar Tehnoetic <tct at ceata.org> writes:

> Hi,
>
> On 30.05.2015 01:35, fauno wrote:
>> the modifications we discussed in this list are in this pad[^0]
>
> Last week I've been asked to comment on the modifications and so I did
> just now.
>
>> [^0]: https://pad.partidopirata.com.ar/p/Ceata+Parabola
>
> Thanks for the good work, looking forward for the final proposal.

thanks!

hellekin: can you write what you were thinking on due delivery? (line #92)

hellekin: about the fsf incorporation data, we're waiting for confirmation on
fsf's side, correct?

everybody: i drafted something on the delegate's succession article
(line #209), please review :)

-- 
 D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150611/ecd81b78/attachment.sig>

From dikasetyaprayogi at gmail.com  Thu Jun 11 23:19:29 2015
From: dikasetyaprayogi at gmail.com (Dika Setya Prayogi)
Date: Fri, 12 Jun 2015 06:19:29 +0700
Subject: [Dev] hi all
Message-ID: <CAKpbLoYa0pr1Za72pLzCKS839_1xJezcgs2cDR0j=vU9VKejuw@mail.gmail.com>

hi all, I'am a new member :-)


From dikasetyaprayogi at gmail.com  Thu Jun 11 23:21:36 2015
From: dikasetyaprayogi at gmail.com (Dika Setya Prayogi)
Date: Fri, 12 Jun 2015 06:21:36 +0700
Subject: [Dev] ask
Message-ID: <CAKpbLob=wbJ3bppAEzTe=18myuL7rpVbpo_D4jv7Av_v=gWStQ@mail.gmail.com>

how is parabola now, is everyone still develop it ?


From lukeshu at sbcglobal.net  Mon Jun 15 04:08:17 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Sun, 14 Jun 2015 22:08:17 -0600
Subject: [Dev] ask
In-Reply-To: <CAKpbLob=wbJ3bppAEzTe=18myuL7rpVbpo_D4jv7Av_v=gWStQ@mail.gmail.com>
References: <CAKpbLob=wbJ3bppAEzTe=18myuL7rpVbpo_D4jv7Av_v=gWStQ@mail.gmail.com>
Message-ID: <87h9q9sjf2.wl-lukeshu@sbcglobal.net>

On Thu, 11 Jun 2015 17:21:36 -0600,
Dika Setya Prayogi wrote:
> 
> how is parabola now, is everyone still develop it ?

Parabola is well, yes we still actively develop it.

Most of the community-type discussion happens on on IRC; join us on
#parabola on Freenode.

-- 
Happy hacking,
~ Luke Shumaker


From lukeshu at sbcglobal.net  Tue Jun 16 04:53:51 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Mon, 15 Jun 2015 22:53:51 -0600
Subject: [Dev] Minor mips64el cleanup on repo
Message-ID: <877fr4s17k.wl-lukeshu@sbcglobal.net>


I just did some cleanup on repo.parabola.nu. I...
 - remove '/mips64el/packages/abslibre/' per
   https://labs.parabola.nu/issues/591
 - moved '/toolchains/' to '/mips64el/toolchains/'
 - removed all empty directories in '/mips64el/'
 - excluded '/mips64el/' from being mirrored
 - removed '/{~smv,~jorginho,~emulatorman,cross,kernels}/os/mips64el/' they
   only had .{abs,db,files}{,.tar.gz} (if at all).
   - Each of the .abs.tar.gz files only had the file 'tmp/hello'
     (which is empty).
   - Some of the other repos have entries for packages in them:
     - ~smv:gitosis-git-20110625-1 (does not exist)
     - ~jorginho:urbanterror-data-4.1.1-2 (does not exist)
     - ~emulatorman:ath9k-htc-firmware-git-20140911-1 (exists as a torrent)
     - ~coadde:glproto-git-20120612 (does not exist)
     - ~coadde.old:foobar-1-1.nonprism1 (exists as a torrent)
     - kernels:pax-flags-libre-2.0.17-1 (exists as a torrent)

-- 
Happy hacking,
~ Luke Shumaker


From lukeshu at sbcglobal.net  Tue Jun 16 05:18:33 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Mon, 15 Jun 2015 23:18:33 -0600
Subject: [Dev] Minor mips64el cleanup on repo
In-Reply-To: <877fr4s17k.wl-lukeshu@sbcglobal.net>
References: <877fr4s17k.wl-lukeshu@sbcglobal.net>
Message-ID: <874mm8s02e.wl-lukeshu@sbcglobal.net>

On Mon, 15 Jun 2015 22:53:51 -0600,
Luke Shumaker wrote:
> I just did some cleanup on repo.parabola.nu. I...

I then did some more:

 - Make the '*/os/mips64el/' directories not be mirrored.
 - Make '/staging/core/' (contained a glibc for mips) not be mirrored.
 - Move '/iso/initramfs-linux-libre{,-fallback}.img' and
 - '/iso/parabola-base-mips64el-2013.10.25.tar.gz' to '/mips64el/iso/'
   (/misp64el not being mirrored).

For how I'm making things not be mirrored: put it in /srv/repo/http
instead of /srv/repo/main .

-- 
Happy hacking,
~ Luke Shumaker


From lukeshu at sbcglobal.net  Wed Jun 17 00:56:33 2015
From: lukeshu at sbcglobal.net (Luke Shumaker)
Date: Tue, 16 Jun 2015 18:56:33 -0600
Subject: [Dev] Minor mips64el cleanup on repo
In-Reply-To: <874mm8s02e.wl-lukeshu@sbcglobal.net>
References: <877fr4s17k.wl-lukeshu@sbcglobal.net>
 <874mm8s02e.wl-lukeshu@sbcglobal.net>
Message-ID: <87wpz3qhj2.wl-lukeshu@sbcglobal.net>

On Mon, 15 Jun 2015 23:18:33 -0600,
Luke Shumaker wrote:
> 
> On Mon, 15 Jun 2015 22:53:51 -0600,
> Luke Shumaker wrote:
> 
>  - Make the '*/os/mips64el/' directories not be mirrored.
> 
> For how I'm making things not be mirrored: put it in /srv/repo/http
> instead of /srv/repo/main .

I just made the *-mips64el.pkg.* files in /pool/parabola/ and
/torrents/ not be mirrored as well--otherwise db-cleanup would remove
them!

--
Happy hacking,
~ Luke Shumaker


From emulatorman at riseup.net  Fri Jun 19 16:44:11 2015
From: emulatorman at riseup.net (=?UTF-8?B?QW5kcsOpIFNpbHZh?=)
Date: Fri, 19 Jun 2015 13:44:11 -0300
Subject: [Dev] Fwd: "parabola"
Message-ID: <558446DB.5020709@riseup.net>

I received this email today, so i'm sending it to dev lists to let you
know about it

-------- Forwarded Message --------
Subject: 	"parabola"
Date: 	Fri, 19 Jun 2015 11:55:39 +0800
From: 	William Wu <william at ap-cc.cn>
To: 	emulatorman <emulatorman at parabola.nu>



Mail

Dear Sir or Madam,

We are a service agency for domain registration service in china. Here i
have something to confirm with you. We formally received an application
today that a company claimed SEMOUR Global LLC were applying to register
parabola as their brand name and some parabola top-level domain names
through our firm.

Now we are handling this registration, and after our initial checking,
we found the name is similar to your company's, so we need to check with
you whether your company has authorized that company to register these
names. If you authorized this, we would finish the registration at once.
If you did not authorize, please let us know in time, so that we could
handle this issue better. After the deadline we will unconditionally
finish the registration for SEMOUR Global LLC. Looking forward to your
prompt reply.

Best Regards

William Wu
Tel: +86.551.63491191
Fax: +86.551.63491192
Address:689 Huizhou Road, Hefei, Anhui, China 23001

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150619/37b57fae/attachment.sig>

From fauno at endefensadelsl.org  Fri Jun 19 16:48:37 2015
From: fauno at endefensadelsl.org (fauno)
Date: Fri, 19 Jun 2015 13:48:37 -0300
Subject: [Dev] Fwd: "parabola"
In-Reply-To: <558446DB.5020709@riseup.net>
References: <558446DB.5020709@riseup.net>
Message-ID: <87twu34pay.fsf@endefensadelsl.org>

Andr? Silva <emulatorman at riseup.net> writes:

> I received this email today, so i'm sending it to dev lists to let you
> know about it

if it's not a scam it's ridiculous to register a mathematical term as a
trademark ??

-- 
http://vqfe4xmhxzi7w2uv.onion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150619/74d59def/attachment.sig>

From hellekin at gnu.org  Fri Jun 19 16:52:30 2015
From: hellekin at gnu.org (hellekin)
Date: Fri, 19 Jun 2015 13:52:30 -0300
Subject: [Dev] Fwd: "parabola"
In-Reply-To: <558446DB.5020709@riseup.net>
References: <558446DB.5020709@riseup.net>
Message-ID: <558448CE.3000709@gnu.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/19/2015 01:44 PM, Andr? Silva wrote:
> I received this email today, so i'm sending it to dev lists to let you
> know about it
>
*** I think it's worth ignoring.  If these people are serious, they'll
contact you again.  Most likely some spammy shady business.

==
hk

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJVhEjGXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0
ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg9ISoP/i37ibCfwG1MiIvgBuwXUAGS
mUUXtfDbxB2RjcN4AmivodHXp2G/PNojZZEWVnSwxqOLKglvEPvOm40m5IDmYtGd
yOHa4bB4Ubag3vIRw4tbBfJfDn6J651Is34PqWZg1onrJeu1w2gn3C5Z+iKXCeNM
xta2Qa1UV2EfN6qn+ZtGV6ng5HLUEkmQJHFK32jEpohon85hg0rS4pX9AGt1kbv2
3aUrsMoZYI8YYh3bZGqGhQlLSU4rpNtpbfCsGcRJI7FagjKXoeRAgBNLPsAapAi9
nPoshC+3a0A8eIH+xgvYrknVozSQY8qMah/UGkzP4IoFsISTT42LNdnJeVFjInyy
sDI5OI7J8J4HHGoeO9v1Fn3xPMXZtXpfSvgeSwHRESg4GwpPAtTnLIest/zCWjDD
UOIQqTjuEXLaTFUrVQD/gGiOC9zQYvtc5pClBReLg1yCmVb+/jDswjHmNJjlV1eT
xFghBHSeA/SNkl/MZSgvKLg2SgGNQojvyx3AyiHjCfPaNGcF4RnD1ZxOGB2MsEJq
0juzB4m84POtU+KkT8N3rcVDzfoI8Iigwl015MQb95wJ1j0EFibaSCeyv/SE12No
v3VYd12/fN2KIVnALGeqXqzZyJdEqoihBeGLX8xueTbDRKvlPNhN48eSrG25BA5R
mC8Gt3J6OE73mw0XKrY5
=9S3N
-----END PGP SIGNATURE-----


From hellekin at gnu.org  Fri Jun 19 19:13:59 2015
From: hellekin at gnu.org (hellekin)
Date: Fri, 19 Jun 2015 16:13:59 -0300
Subject: [Dev] Fwd: "parabola"
In-Reply-To: <87twu34pay.fsf@endefensadelsl.org>
References: <558446DB.5020709@riseup.net> <87twu34pay.fsf@endefensadelsl.org>
Message-ID: <558469F7.40003@gnu.org>

On 06/19/2015 01:48 PM, fauno wrote:
> 
> if it's not a scam it's ridiculous to register a mathematical term as a
> trademark ??
> 
*** Especially a religious term ;o)

==
hk



From ingegnue at riseup.net  Fri Jun 19 20:20:43 2015
From: ingegnue at riseup.net (IngeGNUe)
Date: Fri, 19 Jun 2015 16:20:43 -0400
Subject: [Dev] Fwd: "parabola"
In-Reply-To: <558446DB.5020709@riseup.net>
References: <558446DB.5020709@riseup.net>
Message-ID: <5584799B.1040004@riseup.net>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

If this was an authorized domain name *registrar* (it clearly is not),
then they would have to answer to ICANN -- and they would *never*
contact you. Your domain name was already registered, and it will not be
arbitrarily taken away.

This is a scam that exploits people's ignorance of the domain name
registration process, possibly to get email addresses so they can spam
you. Or maybe even to assess how valuable the domain name is, by seeing
how desired it is, so that *in case it expires* they can basically take
it hostage for a high enough price. Or if all the domain names aren't
registered, they may try to convince you to buy other TLDs.

The best thing to do is ignore it and mark it as spam. If you want to do
more, report the spammer's email address.

IngeGNUe

On 06/19/2015 12:44 PM, Andr? Silva wrote:
> I received this email today, so i'm sending it to dev lists to let you
> know about it
>
> -------- Forwarded Message --------
> Subject:     "parabola"
> Date:     Fri, 19 Jun 2015 11:55:39 +0800
> From:     William Wu <william at ap-cc.cn>
> To:     emulatorman <emulatorman at parabola.nu>
>
>
>
> Mail
>
> Dear Sir or Madam,
>
> We are a service agency for domain registration service in china. Here i
> have something to confirm with you. We formally received an application
> today that a company claimed SEMOUR Global LLC were applying to register
> parabola as their brand name and some parabola top-level domain names
> through our firm.
>
> Now we are handling this registration, and after our initial checking,
> we found the name is similar to your company's, so we need to check with
> you whether your company has authorized that company to register these
> names. If you authorized this, we would finish the registration at once.
> If you did not authorize, please let us know in time, so that we could
> handle this issue better. After the deadline we will unconditionally
> finish the registration for SEMOUR Global LLC. Looking forward to your
> prompt reply.
>
> Best Regards
>
> William Wu
> Tel: +86.551.63491191
> Fax: +86.551.63491192
> Address:689 Huizhou Road, Hefei, Anhui, China 23001
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIbBAEBCAAGBQJVhHmRAAoJEN9nJ5jSz519TTUP91BesnhZylckMleo9BCkG7+X
RCUusBdH60pAQyZCYhVuqtmviaPyXhDi7z4iAZgYYst6iB5KfiSxlimd+O5Rdoyl
x+N0mrpcFBqa6tShhQMt/QTTHKqEESYqZ/ccO0fU85kSokUN7EfgzVSP1rc3Kj/e
bQEX8yseRVhHZ9pVAjAnjuuvY7oj3yqMglrmHToi4HO99AfRfATx+pS77h5dIldN
TaMnnC89Wa9gRmsFSF8HjeMEPiFW0QKycdDE5wrcBSUAbpwNLwMbv8nka8C1gyr6
9V2kMaFOHsErHsAjODKOpwJuWyYFgdq7GyFJyq+YBoJIFMpaf0knxPGrNmG/6FSq
NAV3VQKE7GKjM29722m/om78slgoz0CjrpbDnWXHP9jPljxGnVk6y9Upx+fgsNzG
kY5Z+JLQyS9RerM/pGQKQys9/E1bO2ZQ92PGMfVZCKoM99NEFIExnTB2uUJCj9GR
iMRXl1bMygEereKM2/aoQE4uXCP3GE30hMzuz5VlDyDkiOXgvijJUiE00wfA5PwC
fC9s8+/alFu8OPyRWcLaGr6QqEW/4CZia6YPJTMeoSVKu5OhCJoJAYiQcWHGRvxb
n/08QpCaBkxt0EG9PnBSTiQZkpkwlyrakOgJ/8kURUYp9Bx7BKJc62+nxvvpDxvf
7QV65W6Vs4Ztyy6ffjg=
=SvHG
-----END PGP SIGNATURE-----




From elcorreo at deshackra.com  Sat Jun 20 02:47:35 2015
From: elcorreo at deshackra.com (Jorge Araya Navarro)
Date: Fri, 19 Jun 2015 20:47:35 -0600
Subject: [Dev] [SPAM-5.2]-  Fwd: "parabola"
In-Reply-To: <558446DB.5020709@riseup.net>
References: <558446DB.5020709@riseup.net>
Message-ID: <87d20rxfi0.fsf@abril.charola>


It's funny because this email was marked as spam by my e-mail server xD

Andr? Silva writes:

> I received this email today, so i'm sending it to dev lists to let you
> know about it
>
> -------- Forwarded Message --------
> Subject: 	"parabola"
> Date: 	Fri, 19 Jun 2015 11:55:39 +0800
> From: 	William Wu <william at ap-cc.cn>
> To: 	emulatorman <emulatorman at parabola.nu>
>
>
>
> Mail
>
> Dear Sir or Madam,
>
> We are a service agency for domain registration service in china. Here i
> have something to confirm with you. We formally received an application
> today that a company claimed SEMOUR Global LLC were applying to register
> parabola as their brand name and some parabola top-level domain names
> through our firm.
>
> Now we are handling this registration, and after our initial checking,
> we found the name is similar to your company's, so we need to check with
> you whether your company has authorized that company to register these
> names. If you authorized this, we would finish the registration at once.
> If you did not authorize, please let us know in time, so that we could
> handle this issue better. After the deadline we will unconditionally
> finish the registration for SEMOUR Global LLC. Looking forward to your
> prompt reply.
>
> Best Regards
>
> William Wu
> Tel: +86.551.63491191
> Fax: +86.551.63491192
> Address:689 Huizhou Road, Hefei, Anhui, China 23001
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev

-- 
Pax et bonum.
Jorge Araya Navarro.
ES: Dise?ador Publicitario, Programador Python y colaborador en Parabola GNU/Linux-libre
EN: Ads Designer, Python programmer and contributor Parabola GNU/Linux-libre
EO: Anonco grafikisto, Pitino programalingvo programisto kai kontribuanto en Parabola GNU/Linux-libre
https://es.gravatar.com/shackra


From hellekin at gnu.org  Sun Jun 21 21:30:15 2015
From: hellekin at gnu.org (hellekin)
Date: Sun, 21 Jun 2015 18:30:15 -0300
Subject: [Dev] Fwd: Google has been stealth downloading audio listeners onto
 every computer that runs Chrome
In-Reply-To: <op.x0ljgtwvbgbjo9@work-pc.lan>
References: <op.x0ljgtwvbgbjo9@work-pc.lan>
Message-ID: <55872CE7.3020902@gnu.org>

Now that's nasty.  Is Chromium in Parabola affected by this "bug"
(meaning: wiretapping device)?

==
hk


-------- Forwarded Message --------
Subject: Google has been stealth downloading audio listeners onto every
computer that runs Chrome
Date: Sun, 21 Jun 2015 13:06:19 -0700
From: Seth <list at sysfu.com>
To: cypherpunks at cpunks.org

from
https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/


Posted on June 18, 2015 by Rick Falkvinge

Google Chrome Listening In To Your Room Shows The Importance Of Privacy
Defense In Depth

Yesterday, news broke that Google has been stealth downloading audio
listeners onto every computer that runs Chrome, and transmits audio data
back to Google. Effectively, this means that Google had taken itself the
right to listen to every conversation in every room that runs Chrome
somewhere, without any kind of consent from the people eavesdropped on. In
official statements, Google shrugged off the practice with what amounts to
?we can do that?.

It looked like just another bug report. "When I start Chromium, it
downloads something." Followed by strange status information that notably
included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".

chrome-voicesearch

Without consent, Google?s code had downloaded a black box of code that ?
according to itself ? had turned on the microphone and was actively
listening to your room.

A brief explanation of the Open-source / Free-software philosophy is
needed here. When you?re installing a version of GNU/Linux like Debian or
Ubuntu onto a fresh computer, thousands of really smart people have
analyzed every line of human-readable source code before that operating
system was built into computer-executable binary code, to make it common
and open knowledge what the machine actually does instead of trusting
corporate statements on what it?s supposed to be doing. Therefore, you
don?t install black boxes onto a Debian or Ubuntu system; you use software
repositories that have gone through this source-code audit-then-build
process. Maintainers of operating systems like Debian and Ubuntu use many
so-called ?upstreams? of source code to build the final product.

Chromium, the open-source version of Google Chrome, had abused its
position as trusted upstream to insert lines of source code that bypassed
this audit-then-build process, and which downloaded and installed a black
box of unverifiable executable code directly onto computers, essentially
rendering them compromised. We don?t know and can?t know what this black
box does. But we see reports that the microphone has been activated, and
that Chromium considers audio capture permitted.

This was supposedly to enable the ?Ok, Google? behavior ? that when you
say certain words, a search function is activated. Certainly a useful
feature. Certainly something that enables eavesdropping of every
conversation in the entire room, too.

Obviously, your own computer isn?t the one to analyze the actual search
command. Google?s servers do. Which means that your computer had been
stealth configured to send what was being said in your room to somebody
else, to a private company in another country, without your consent or
knowledge, an audio transmission triggered by? an unknown and unverifiable
set of conditions.

Google had two responses to this. The first was to introduce a
practically-undocumented switch to opt out of this behavior, which is not
a fix: the default install will still wiretap your room without your
consent, unless you opt out, and more importantly, know that you need to
opt out, which is nowhere a reasonable requirement. But the second was
more of an official statement following technical discussions on Hacker
News and other places. That official statement amounted to three parts
(paraphrased, of course):

1) Yes, we?re downloading and installing a wiretapping black-box to your
computer. But we?re not actually activating it. We did take advantage of
our position as trusted upstream to stealth-insert code into open-source
software that installed this black box onto millions of computers, but we
would never abuse the same trust in the same way to insert code that
activates the eavesdropping-blackbox we already downloaded and installed
onto your computer without your consent or knowledge. You can look at the
code as it looks right now to see that the code doesn?t do this right now.

2) Yes, Chromium is bypassing the entire source code auditing process by
downloading a pre-built black box onto people?s computers. But that?s not
something we care about, really. We?re concerned with building Google
Chrome, the product from Google. As part of that, we provide the source
code for others to package if they like. Anybody who uses our code for
their own purpose takes responsibility for it. When this happens in a
Debian installation, it is not Google Chrome?s behavior, this is Debian
Chromium?s behavior. It?s Debian?s responsibility entirely.

3) Yes, we deliberately hid this listening module from the users, but
that?s because we consider this behavior to be part of the basic Google
Chrome experience. We don?t want to show all modules that we install
ourselves.

If you think this is an excusable and responsible statement, raise your
hand now.

Now, it should be noted that this was Chromium, the open-source version of
Chrome. If somebody downloads the Google product Google Chrome, as in the
prepackaged binary, you don?t even get a theoretical choice. You?re
already downloading a black box from a vendor. In Google Chrome, this is
all included from the start.

This episode highlights the need for hard, not soft, switches to all
devices ? webcams, microphones ? that can be used for surveillance. A
software on/off switch for a webcam is no longer enough, a hard shield in
front of the lens is required. A software on/off switch for a microphone
is no longer enough, a physical switch that breaks its electrical
connection is required. That?s how you defend against this in depth.

Of course, people were quick to downplay the alarm. ?It only listens when
you say ?Ok, Google?.? (Ok, so how does it know to start listening just
before I?m about to say ?Ok, Google??) ?It?s no big deal.? (A company
stealth installs an audio listener that listens to every room in the world
it can, and transmits audio data to the mothership when it encounters an
unknown, possibly individually tailored, list of keywords ? and it?s no
big deal!?) ?You can opt out. It?s in the Terms of Service.? (No. Just no.
This is not something that is the slightest amount of permissible just
because it?s hidden in legalese.) ?It?s opt-in. It won?t really listen
unless you check that box.? (Perhaps. We don?t know, Google just
downloaded a black box onto my computer. And it may not be the same black
box as was downloaded onto yours. )

Early last decade, privacy activists practically yelled and screamed that
the NSA?s taps of various points of the Internet and telecom networks had
the technical potential for enormous abuse against privacy. Everybody else
dismissed those points as basically tinfoilhattery ? until the Snowden
files came out, and it was revealed that precisely everybody involved had
abused their technical capability for invasion of privacy as far as was
possible.

Perhaps it would be wise to not repeat that exact mistake. Nobody, and I
really mean nobody, is to be trusted with a technical capability to listen
to every room in the world, with listening profiles customizable at the
identified-individual level, on the mere basis of ?trust us?.

Privacy remains your own responsibility.

Rick Falkvinge
ABOUT RICK FALKVINGE
Rick is the founder of the first Pirate Party and is a political
evangelist, traveling around Europe and the world to talk and write about
ideas of a sensible information policy. He has a tech entrepreneur
background and loves whisky. Read more of his articles on his website.

Twitter |More Posts (91)






From fauno at endefensadelsl.org  Sun Jun 21 21:38:33 2015
From: fauno at endefensadelsl.org (fauno)
Date: Sun, 21 Jun 2015 18:38:33 -0300
Subject: [Dev] Fwd: Google has been stealth downloading audio listeners
	onto every computer that runs Chrome
In-Reply-To: <55872CE7.3020902@gnu.org>
References: <op.x0ljgtwvbgbjo9@work-pc.lan> <55872CE7.3020902@gnu.org>
Message-ID: <878ubc2146.fsf@endefensadelsl.org>

hellekin <hellekin at gnu.org> writes:

> Now that's nasty.  Is Chromium in Parabola affected by this "bug"
> (meaning: wiretapping device)?

we don't have chromium :)

-- 
:D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150621/b085f190/attachment.sig>

From hellekin at gnu.org  Sun Jun 21 21:47:55 2015
From: hellekin at gnu.org (hellekin)
Date: Sun, 21 Jun 2015 18:47:55 -0300
Subject: [Dev] Fwd: Google has been stealth downloading audio listeners
 onto every computer that runs Chrome
In-Reply-To: <878ubc2146.fsf@endefensadelsl.org>
References: <op.x0ljgtwvbgbjo9@work-pc.lan> <55872CE7.3020902@gnu.org>
 <878ubc2146.fsf@endefensadelsl.org>
Message-ID: <5587310B.30107@gnu.org>

On 06/21/2015 06:38 PM, fauno wrote:
> hellekin <hellekin at gnu.org> writes:
> 
>> Now that's nasty.  Is Chromium in Parabola affected by this "bug"
>> (meaning: wiretapping device)?
> 
> we don't have chromium :)
> 
*** Heh.  I take this as a no ;o)

==
hk



From elcorreo at deshackra.com  Sun Jun 21 22:22:33 2015
From: elcorreo at deshackra.com (Jorge Araya Navarro)
Date: Sun, 21 Jun 2015 16:22:33 -0600
Subject: [Dev] Fwd: Google has been stealth downloading audio listeners
	onto every computer that runs Chrome
In-Reply-To: <5587310B.30107@gnu.org>
References: <op.x0ljgtwvbgbjo9@work-pc.lan> <55872CE7.3020902@gnu.org>
 <878ubc2146.fsf@endefensadelsl.org> <5587310B.30107@gnu.org>
Message-ID: <87si9k66sk.fsf@abril.charola>

Sometimes I wish we have more variety at hand, hope that Chromium becomes free software soon...

hellekin writes:

> On 06/21/2015 06:38 PM, fauno wrote:
>> hellekin <hellekin at gnu.org> writes:
>> 
>>> Now that's nasty.  Is Chromium in Parabola affected by this "bug"
>>> (meaning: wiretapping device)?
>> 
>> we don't have chromium :)
>> 
> *** Heh.  I take this as a no ;o)
>
> ==
> hk
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev

-- 
Pax et bonum.
Jorge Araya Navarro.
ES: Dise?ador Publicitario, Programador Python y colaborador en Parabola GNU/Linux-libre
EN: Ads Designer, Python programmer and contributor Parabola GNU/Linux-libre
EO: Anonco grafikisto, Pitino programalingvo programisto kai kontribuanto en Parabola GNU/Linux-libre
https://es.gravatar.com/shackra


From joseph at t67.eu  Sun Jun 21 22:32:35 2015
From: joseph at t67.eu (Joseph Graham)
Date: Sun, 21 Jun 2015 23:32:35 +0100
Subject: [Dev] Fwd: Google has been stealth downloading audio listeners
	onto every computer that runs Chrome
In-Reply-To: <55872CE7.3020902@gnu.org>
References: <op.x0ljgtwvbgbjo9@work-pc.lan> <55872CE7.3020902@gnu.org>
Message-ID: <446C1804-7ADD-4CD8-AFD2-BD35D7EAD7BE@t67.eu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 21 June 2015 22:30:15 BST, hellekin <hellekin at gnu.org> wrote:
>Now that's nasty.  Is Chromium in Parabola affected by this "bug"
>(meaning: wiretapping device)?
>
>==
>hk
>
>
>-------- Forwarded Message --------
>Subject: Google has been stealth downloading audio listeners onto every
>computer that runs Chrome
>Date: Sun, 21 Jun 2015 13:06:19 -0700
>From: Seth <list at sysfu.com>
>To: cypherpunks at cpunks.org
>
>from
>https://www.privateinternetaccess.com/blog/2015/06/google-chrome-listening-in-to-your-room-shows-the-importance-of-privacy-defense-in-depth/
>
>
>Posted on June 18, 2015 by Rick Falkvinge
>
>Google Chrome Listening In To Your Room Shows The Importance Of Privacy
>Defense In Depth
>
>Yesterday, news broke that Google has been stealth downloading audio
>listeners onto every computer that runs Chrome, and transmits audio
>data
>back to Google. Effectively, this means that Google had taken itself
>the
>right to listen to every conversation in every room that runs Chrome
>somewhere, without any kind of consent from the people eavesdropped on.
>In
>official statements, Google shrugged off the practice with what amounts
>to
>?we can do that?.
>
>It looked like just another bug report. "When I start Chromium, it
>downloads something." Followed by strange status information that
>notably
>included the lines "Microphone: Yes" and "Audio Capture Allowed: Yes".
>
>chrome-voicesearch
>
>Without consent, Google?s code had downloaded a black box of code that
>?
>according to itself ? had turned on the microphone and was actively
>listening to your room.
>
>A brief explanation of the Open-source / Free-software philosophy is
>needed here. When you?re installing a version of GNU/Linux like Debian
>or
>Ubuntu onto a fresh computer, thousands of really smart people have
>analyzed every line of human-readable source code before that operating
>system was built into computer-executable binary code, to make it
>common
>and open knowledge what the machine actually does instead of trusting
>corporate statements on what it?s supposed to be doing. Therefore, you
>don?t install black boxes onto a Debian or Ubuntu system; you use
>software
>repositories that have gone through this source-code audit-then-build
>process. Maintainers of operating systems like Debian and Ubuntu use
>many
>so-called ?upstreams? of source code to build the final product.
>
>Chromium, the open-source version of Google Chrome, had abused its
>position as trusted upstream to insert lines of source code that
>bypassed
>this audit-then-build process, and which downloaded and installed a
>black
>box of unverifiable executable code directly onto computers,
>essentially
>rendering them compromised. We don?t know and can?t know what this
>black
>box does. But we see reports that the microphone has been activated,
>and
>that Chromium considers audio capture permitted.
>
>This was supposedly to enable the ?Ok, Google? behavior ? that when you
>say certain words, a search function is activated. Certainly a useful
>feature. Certainly something that enables eavesdropping of every
>conversation in the entire room, too.
>
>Obviously, your own computer isn?t the one to analyze the actual search
>command. Google?s servers do. Which means that your computer had been
>stealth configured to send what was being said in your room to somebody
>else, to a private company in another country, without your consent or
>knowledge, an audio transmission triggered by? an unknown and
>unverifiable
>set of conditions.
>
>Google had two responses to this. The first was to introduce a
>practically-undocumented switch to opt out of this behavior, which is
>not
>a fix: the default install will still wiretap your room without your
>consent, unless you opt out, and more importantly, know that you need
>to
>opt out, which is nowhere a reasonable requirement. But the second was
>more of an official statement following technical discussions on Hacker
>News and other places. That official statement amounted to three parts
>(paraphrased, of course):
>
>1) Yes, we?re downloading and installing a wiretapping black-box to
>your
>computer. But we?re not actually activating it. We did take advantage
>of
>our position as trusted upstream to stealth-insert code into
>open-source
>software that installed this black box onto millions of computers, but
>we
>would never abuse the same trust in the same way to insert code that
>activates the eavesdropping-blackbox we already downloaded and
>installed
>onto your computer without your consent or knowledge. You can look at
>the
>code as it looks right now to see that the code doesn?t do this right
>now.
>
>2) Yes, Chromium is bypassing the entire source code auditing process
>by
>downloading a pre-built black box onto people?s computers. But that?s
>not
>something we care about, really. We?re concerned with building Google
>Chrome, the product from Google. As part of that, we provide the source
>code for others to package if they like. Anybody who uses our code for
>their own purpose takes responsibility for it. When this happens in a
>Debian installation, it is not Google Chrome?s behavior, this is Debian
>Chromium?s behavior. It?s Debian?s responsibility entirely.
>
>3) Yes, we deliberately hid this listening module from the users, but
>that?s because we consider this behavior to be part of the basic Google
>Chrome experience. We don?t want to show all modules that we install
>ourselves.
>
>If you think this is an excusable and responsible statement, raise your
>hand now.
>
>Now, it should be noted that this was Chromium, the open-source version
>of
>Chrome. If somebody downloads the Google product Google Chrome, as in
>the
>prepackaged binary, you don?t even get a theoretical choice. You?re
>already downloading a black box from a vendor. In Google Chrome, this
>is
>all included from the start.
>
>This episode highlights the need for hard, not soft, switches to all
>devices ? webcams, microphones ? that can be used for surveillance. A
>software on/off switch for a webcam is no longer enough, a hard shield
>in
>front of the lens is required. A software on/off switch for a
>microphone
>is no longer enough, a physical switch that breaks its electrical
>connection is required. That?s how you defend against this in depth.
>
>Of course, people were quick to downplay the alarm. ?It only listens
>when
>you say ?Ok, Google?.? (Ok, so how does it know to start listening just
>before I?m about to say ?Ok, Google??) ?It?s no big deal.? (A company
>stealth installs an audio listener that listens to every room in the
>world
>it can, and transmits audio data to the mothership when it encounters
>an
>unknown, possibly individually tailored, list of keywords ? and it?s no
>big deal!?) ?You can opt out. It?s in the Terms of Service.? (No. Just
>no.
>This is not something that is the slightest amount of permissible just
>because it?s hidden in legalese.) ?It?s opt-in. It won?t really listen
>unless you check that box.? (Perhaps. We don?t know, Google just
>downloaded a black box onto my computer. And it may not be the same
>black
>box as was downloaded onto yours. )
>
>Early last decade, privacy activists practically yelled and screamed
>that
>the NSA?s taps of various points of the Internet and telecom networks
>had
>the technical potential for enormous abuse against privacy. Everybody
>else
>dismissed those points as basically tinfoilhattery ? until the Snowden
>files came out, and it was revealed that precisely everybody involved
>had
>abused their technical capability for invasion of privacy as far as was
>possible.
>
>Perhaps it would be wise to not repeat that exact mistake. Nobody, and
>I
>really mean nobody, is to be trusted with a technical capability to
>listen
>to every room in the world, with listening profiles customizable at the
>identified-individual level, on the mere basis of ?trust us?.
>
>Privacy remains your own responsibility.
>
>Rick Falkvinge
>ABOUT RICK FALKVINGE
>Rick is the founder of the first Pirate Party and is a political
>evangelist, traveling around Europe and the world to talk and write
>about
>ideas of a sensible information policy. He has a tech entrepreneur
>background and loves whisky. Read more of his articles on his website.
>
>Twitter |More Posts (91)
>
>
>
>
>_______________________________________________
>Dev mailing list
>Dev at lists.parabola.nu
>https://lists.parabola.nu/mailman/listinfo/dev

Of course: this is very funny.
- --
Sent from my CyanogenMod device with K-9 Mail.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQE7BAEBCgAlBQJVhzuDHhxKb3NlcGggR3JhaGFtIDxqb3NlcGhAdDY3LmV1PgAK
CRD2o/UN/vt/KYyTB/9NpXGGQ5DEUtC4ZqzCGUMRQqGqfNNWYxrPm+srK7LBoDui
AigkwQZKjKepbuUnjExPW870AytMvHQY8w9HrfaCmG98+dR4W3sXvHn39SqU6JI7
WR8kl26P7eeZCxWBJv/+1pHJY7+ORMZrq3XvY2cAJLOXu5lPvI+SZIib7JtJFl5p
V0D0T8mWAkP1ob2qYyztPHPGQyzvd1NG7HuG7LO8HUGMLchoYXy0KSCRpCLhfJAP
8j9K4h7b/wBhWSf3X8sirBqfBd4aIh5Vyio6q4U9WXOrBLMYnUTiDizCDkux58IW
SuXlKrOb6KbyGqJbPhBIiGBJK1dG5rT//LWnZLTy
=fHW6
-----END PGP SIGNATURE-----



From nobody at parabola.nu  Mon Jun 22 20:54:50 2015
From: nobody at parabola.nu (Parabola Website Notification)
Date: Mon, 22 Jun 2015 20:54:50 -0000
Subject: [Dev] Orphan Libre package [icedove-enigmail] marked out-of-date
Message-ID: <20150622205450.21099.56862@parabola.nu>

mittens2001 at tfwno.gf wants to notify you that the following packages may be out-of-date:


* icedove-enigmail 1.8.1-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/icedove-enigmail/
* icedove-enigmail 1.8.1-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/icedove-enigmail/


The user provided the following additional text:

Has been updated to 1.8.2



From nobody at parabola.nu  Mon Jun 22 20:57:40 2015
From: nobody at parabola.nu (Parabola Website Notification)
Date: Mon, 22 Jun 2015 20:57:40 -0000
Subject: [Dev] Orphan Pcr package [openrc-core] marked out-of-date
Message-ID: <20150622205740.21099.29564@parabola.nu>

mittens2001 at tfwno.gf wants to notify you that the following packages may be out-of-date:


* openrc-core 0.13.11-1 [pcr] (i686): https://parabolagnulinux.org/packages/pcr/i686/openrc-core/
* openrc-core 0.13.11-1 [pcr] (x86_64): https://parabolagnulinux.org/packages/pcr/x86_64/openrc-core/


The user provided the following additional text:

Long out of date. Current OpenRC version is 0.17.



From g4jc at openmailbox.org  Tue Jun 23 23:57:49 2015
From: g4jc at openmailbox.org (Luke)
Date: Tue, 23 Jun 2015 19:57:49 -0400
Subject: [Dev] My public key
Message-ID: <5589F27D.7000608@openmailbox.org>

Hello Team,
Attached is my public key. I look forward to working create new libre
packages and expand PCR. :)

Luke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: parabolapkg.pub
Type: application/vnd.ms-publisher
Size: 1432 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150623/b589e019/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150623/b589e019/attachment.sig>

From fauno at endefensadelsl.org  Thu Jun 25 22:40:16 2015
From: fauno at endefensadelsl.org (fauno)
Date: Thu, 25 Jun 2015 19:40:16 -0300
Subject: [Dev] Fwd: [arch-dev-public] Building in a clean chroot
Message-ID: <874mlvtnsf.fsf@endefensadelsl.org>


fyi D:

-- 
 D

-------------------- Start of forwarded message --------------------
Date: Thu, 25 Jun 2015 11:08:06 -0500
From: Doug Newgard <scimmia at archlinux.info>
Subject: [arch-dev-public] Building in a clean chroot

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150625/0430974b/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150625/0430974b/attachment.sig>
-------------- next part --------------
-------------------- End of forwarded message --------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150625/0430974b/attachment-0001.sig>

From elcorreo at deshackra.com  Sat Jun 27 04:27:56 2015
From: elcorreo at deshackra.com (Jorge Araya Navarro)
Date: Fri, 26 Jun 2015 22:27:56 -0600
Subject: [Dev] Why I can't compile python2 inside a chroot?
Message-ID: <87vbe9pygj.fsf@abril.charola>

Hello!

I'm trying to build python2 with debugging symbols and with the `--with-pydebug` option on. The first try I
did it using just `makepkg`, but the binary was malformed and when I try to run it with gdb I get this:

--8<---------------cut here---------------start------------->8---
> gdb python2
gdb: Symbol `PyBool_Type' has different size in shared object, consider re-linking
gdb: Symbol `_Py_TrueStruct' has different size in shared object, consider re-linking
gdb: Symbol `_Py_ZeroStruct' has different size in shared object, consider re-linking
gdb: Symbol `_Py_NoneStruct' has different size in shared object, consider re-linking
gdb: Symbol `_Py_NotImplementedStruct' has different size in shared object, consider re-linking
gdb: Symbol `PyFloat_Type' has different size in shared object, consider re-linking
Fatal Python error: Objects/abstract.c:2252 object at 0x85f5948 has negative ref count -1219907744
Abortado (`core' generado)
--8<---------------cut here---------------end--------------->8---

Now I'm trying with libremakepkg, but the compilation gets stuck here:

--8<---------------cut here---------------start------------->8---
 |  Ran 194 tests in 1.329s
 |  
 |  OK (skipped=25)
 |  [114/400/1] test_dl
 |  trying to open: /usr/lib/libc.so failed '/usr/lib/libc.so: invalid ELF header'
 |  trying to open: /lib/libc.so.6 succeeded... worked!
 |  [115/400/1] test_docxmlrpc
 |  test_autolink_dotted_methods (test.test_docxmlrpc.DocXMLRPCHTTPGETServer)
 |  Test that selfdot values are made strong automatically in the ... 
--8<---------------cut here---------------end--------------->8---

What can I do? I really need this Python2 binary with debugging symbols :(

-- 
Pax et bonum.
Jorge Araya Navarro.
ES: Dise?ador Publicitario, Programador Python y colaborador en Parabola GNU/Linux-libre
EN: Ads Designer, Python programmer and contributor Parabola GNU/Linux-libre
EO: Anonco grafikisto, Pitino programalingvo programisto kai kontribuanto en Parabola GNU/Linux-libre
https://es.gravatar.com/shackra


From g4jc at openmailbox.org  Sat Jun 27 15:44:49 2015
From: g4jc at openmailbox.org (Luke)
Date: Sat, 27 Jun 2015 11:44:49 -0400
Subject: [Dev] Bug #567 has significant security impact on binaries
Message-ID: <558EC4F1.5090404@openmailbox.org>

Hello All,
Just yesterday I was learning libretools and how the packaging works on
Parbola GNU/Linux-libre.
I am used to compiling some things for Arch and was surprised at one of
the key differences - one that I think can be classified as a "major"
security flaw in the build process.

When making packages normally, one needs only edit /etc/makepkg.conf,
and add GPG="keyid". Then to make a package from the PKGBUILD, simply
run: makepkg
The package will be compiled, and immediately signed with the packager's
key during compile process.

However, libremakepkg disables this feature. The compiled binary package
is left unsigned. This means that up until the packager manually sign's
the package with his/her key and/or it is done at the librerelease
stage, the binary is unprotected. Example compile: http://termbin.com/9p3o
Note this part particularly:

 |  ==> Signing package...
 |  ==> WARNING: Failed to sign package file.



This allows two security risks.
1) Someone or something could modify the package while it's sitting
around waiting to be uploaded on the packager's computer.
2) If librerelease is signing binaries only, what is to prevent someone
from taking a random modified binary and pushing it to the main repo
with their key?

Lukeshu caught this important bug 12 months ago:
https://labs.parabola.nu/issues/567

Hence, I agree with lukeshu. The packages must, at the very least, be
signed closer to the source.

In Summary: Librerelease shouldn't be signing packages, it should be gpg
--verifying them before uploading; and libremakepkg needs to be able to
sign packages during compile as upstream does.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/fb839e37/attachment.sig>

From mtjm at mtjm.eu  Sat Jun 27 15:54:00 2015
From: mtjm at mtjm.eu (=?utf-8?Q?Micha=C5=82_Mas=C5=82owski?=)
Date: Sat, 27 Jun 2015 17:54:00 +0200
Subject: [Dev] Bug #567 has significant security impact on binaries
In-Reply-To: <558EC4F1.5090404@openmailbox.org> (Luke's message of "Sat, 27
 Jun 2015 11:44:49 -0400")
References: <558EC4F1.5090404@openmailbox.org>
Message-ID: <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu>

> The package will be compiled, and immediately signed with the packager's
> key during compile process.

This isn't nice for batch builds: user leaves the computer building for
hours, then runs librerelease, inputs the GPG passphrase for pinentry,
gpg-agent will cache it for a short time.

> 1) Someone or something could modify the package while it's sitting
> around waiting to be uploaded on the packager's computer.

If the developer changes file permissions so others can write to their
files, and has malicious local users or sufficient remotely-exploitable
vulnerabilities, there are much bigger problems.

> 2) If librerelease is signing binaries only, what is to prevent someone
> from taking a random modified binary and pushing it to the main repo
> with their key?

This can be solved only by not having the developers build and upload
anything to the repo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/15ad26ac/attachment.sig>

From fauno at endefensadelsl.org  Sat Jun 27 16:11:47 2015
From: fauno at endefensadelsl.org (fauno)
Date: Sat, 27 Jun 2015 13:11:47 -0300
Subject: [Dev] Bug #567 has significant security impact on binaries
In-Reply-To: <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu>
References: <558EC4F1.5090404@openmailbox.org>
 <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu>
Message-ID: <874mltqgfw.fsf@endefensadelsl.org>

Micha? Mas?owski <mtjm at mtjm.eu> writes:

>> The package will be compiled, and immediately signed with the packager's
>> key during compile process.
>
> This isn't nice for batch builds: user leaves the computer building for
> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
> gpg-agent will cache it for a short time.

right, this was the initial decision for putting signing on
librerelease.  security-wise having to put the signature for
each batch/unnatended build is bothersome but necessary.

>> 1) Someone or something could modify the package while it's sitting
>> around waiting to be uploaded on the packager's computer.
>
> If the developer changes file permissions so others can write to their
> files, and has malicious local users or sufficient remotely-exploitable
> vulnerabilities, there are much bigger problems.

+1

>> 2) If librerelease is signing binaries only, what is to prevent someone
>> from taking a random modified binary and pushing it to the main repo
>> with their key?
>
> This can be solved only by not having the developers build and upload
> anything to the repo.

xD

what happened with reproducible builds?


btw i've been signing my commits to abslibre.git, i don't know how this
can be useful to verify that the pkgbuild corresponds to the binary
package.

-- 
http://vqfe4xmhxzi7w2uv.onion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/1c89263e/attachment.sig>

From g4jc at openmailbox.org  Sat Jun 27 16:18:37 2015
From: g4jc at openmailbox.org (Luke)
Date: Sat, 27 Jun 2015 12:18:37 -0400
Subject: [Dev] Bug #567 has significant security impact on binaries
In-Reply-To: <874mltqgfw.fsf@endefensadelsl.org>
References: <558EC4F1.5090404@openmailbox.org>
 <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu> <874mltqgfw.fsf@endefensadelsl.org>
Message-ID: <558ECCDD.10203@openmailbox.org>

On 06/27/2015 12:11 PM, fauno wrote:
> Micha? Mas?owski <mtjm at mtjm.eu> writes:
>
>>> The package will be compiled, and immediately signed with the packager's
>>> key during compile process.
>> This isn't nice for batch builds: user leaves the computer building for
>> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
>> gpg-agent will cache it for a short time.
> right, this was the initial decision for putting signing on
> librerelease.  security-wise having to put the signature for
> each batch/unnatended build is bothersome but necessary.
If this is actually an issue, it is described in the manpage for gpg-agent.

nano ~/.gnupg/gpg-agent-conf
set default-cache-ttl and max-cache-ttl as needed.
I would suppose a simple bash script could also be made that looks for
the makepkg process. If it still exists, increase time-to-live in
gpg-agent by x-seconds.
This is still better than signing long after the package has been built.


>>> 1) Someone or something could modify the package while it's sitting
>>> around waiting to be uploaded on the packager's computer.
>> If the developer changes file permissions so others can write to their
>> files, and has malicious local users or sufficient remotely-exploitable
>> vulnerabilities, there are much bigger problems.
> +1
>
>>> 2) If librerelease is signing binaries only, what is to prevent someone
>>> from taking a random modified binary and pushing it to the main repo
>>> with their key?
>> This can be solved only by not having the developers build and upload
>> anything to the repo.
> xD
>
> what happened with reproducible builds?
>
>
> btw i've been signing my commits to abslibre.git, i don't know how this
> can be useful to verify that the pkgbuild corresponds to the binary
> package.

Reproducible builds is another great idea, and Debian has been making
good progress with it.
Signing commits is also not a bad idea, since at least we know that you
took the time to sign your commits. Meaning no one should be
impersonating fauno or doing MITM against your git push procedures. :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/22ce8958/attachment.sig>

From fauno at endefensadelsl.org  Sat Jun 27 16:39:58 2015
From: fauno at endefensadelsl.org (fauno)
Date: Sat, 27 Jun 2015 13:39:58 -0300
Subject: [Dev] Bug #567 has significant security impact on binaries
In-Reply-To: <558ECCDD.10203@openmailbox.org>
References: <558EC4F1.5090404@openmailbox.org>
 <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu> <874mltqgfw.fsf@endefensadelsl.org>
 <558ECCDD.10203@openmailbox.org>
Message-ID: <871tgxqf4x.fsf@endefensadelsl.org>

Luke <g4jc at openmailbox.org> writes:

> On 06/27/2015 12:11 PM, fauno wrote:
>> Micha? Mas?owski <mtjm at mtjm.eu> writes:
>>
>>>> The package will be compiled, and immediately signed with the packager's
>>>> key during compile process.
>>> This isn't nice for batch builds: user leaves the computer building for
>>> hours, then runs librerelease, inputs the GPG passphrase for pinentry,
>>> gpg-agent will cache it for a short time.
>> right, this was the initial decision for putting signing on
>> librerelease.  security-wise having to put the signature for
>> each batch/unnatended build is bothersome but necessary.
> If this is actually an issue, it is described in the manpage for gpg-agent.
>
> nano ~/.gnupg/gpg-agent-conf
> set default-cache-ttl and max-cache-ttl as needed.
> I would suppose a simple bash script could also be made that looks for
> the makepkg process. If it still exists, increase time-to-live in
> gpg-agent by x-seconds.
> This is still better than signing long after the package has been built.

i think you need to restart the agent to change the ttl.

what if there's an intermediary signature that only libremakepkg can
issue and then librerelease verifies this and signs with the packager
key?



-- 
http://vqfe4xmhxzi7w2uv.onion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/52aa3463/attachment.sig>

From g4jc at openmailbox.org  Sat Jun 27 19:55:19 2015
From: g4jc at openmailbox.org (Luke)
Date: Sat, 27 Jun 2015 15:55:19 -0400
Subject: [Dev] Bug #567 has significant security impact on binaries
In-Reply-To: <871tgxqf4x.fsf@endefensadelsl.org>
References: <558EC4F1.5090404@openmailbox.org>
 <874mltuoyv.fsf@ecthelion.vpn.mtjm.eu> <874mltqgfw.fsf@endefensadelsl.org>
 <558ECCDD.10203@openmailbox.org> <871tgxqf4x.fsf@endefensadelsl.org>
Message-ID: <558EFFA7.7060905@openmailbox.org>

I can confirm that test-fixes mentioned in the bug ticket allow me to
gpg sign inside the chroot, and also run makepkg inside the chroot.
However I am still unable to determine why that fails using
libremakepkg. Has something to do with how it is reading makepkg.conf I
imagine.

On 06/27/2015 12:39 PM, fauno wrote:
> i think you need to restart the agent to change the ttl.
>
> what if there's an intermediary signature that only libremakepkg can
> issue and then librerelease verifies this and signs with the packager
> key?
I like this idea, a lot.
However, who would have access to the secret key? It would need a key to
create the intermediary signature which libremakepkg would be using.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150627/ca8bb068/attachment.sig>

From kzer-za at cryptolab.net  Sun Jun 28 22:08:52 2015
From: kzer-za at cryptolab.net (Kuba Kukielka)
Date: Sun, 28 Jun 2015 22:08:52 +0000
Subject: [Dev] Nonfree AUR Packages
Message-ID: <55907074.2050307@cryptolab.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

Using a program named `aurlist`, some sed commands and a php script, I
compiled a list of every single package in AUR 3.

- - https://d.maxfile.ro/cknuewoqlk.out

With this, I wrote a php script that downloaded every single PKGBUILD
in the AUR repo. And then used yet another php script to sort them
into folders based of the license tag in the PKGBUILD. I compiled a
list of nonfree packages my script found (there are probably more). My
script is not 100% accurate so I need to go through it manually.

My list is on a etherpad.

- - https://pad.riseup.net/p/nonfree_aur

I've not finished it yet so any contribution is welcome.

(Note that this does not include AUR 4)

Here are some status of the current folders.

- - free = 48,216 packages
- - nonfree = 297 packages
- - custom = 5,265 packages
- - other = 3,646 packages
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVkHB0AAoJEI2NIwdfk/kl8U8P/jCXkG8W2nJFQKt/wbbxqS0n
IUjtujEhBhXI3u7KS2X5CA0GvMGAwgHNMGEeo/7l1N/uTj7J4/A74Ub64e8NonDQ
0NlNW0e0/imxdl3vZhT5JiUU5Pq0ZmZN8R8mn5sVOR5RDrFXC7y9hlBqEkW6u+Xx
eCtcK0SV8pRE7+Eq99q4VSrg69f0Q9na3clmGoeQF4QtWIAtGcFVGPRiy0ScDZEk
JS26ITRBfefov2ieE5Avq/44/qu60yDJfwtNa/ANvYsQnYYiZbWUzG6FlKpDMAgU
DfIruP9uHmJ1PQBL3pYypxvDPg9xjnsQ4BVcHDnk/TVcAPIsQvk/Vs7o+gXKTSK6
vVVMIqviCy7e2S1s0NwhEl06MgD5wdWa2Fxd+5AaRW2KugNojytTCjfqx7cUgHZj
AXkMzrq0cSPz2JxgL6h0jAxCUljqU4dn+S6aLfPBq297MnK+hpCZKKcik/jv85wK
myP+GJI5Z2nQj+B4ejd3xGc9CRdvpI6PtTnU/+rmv2SiETg/Ig3z2UwXNFyEItOn
ZD7LDKgmlj2LCoaQw328403ErpN0P5BAnZ3wga8jshBYfz0dsK4i2oESsKHcHfo9
qoRHmmh/zQ5wayH0ECzkj3+qBOyARdE+v+j+LD/xxjZ6zuR589Ic5mh1wmOz5hNU
i6MDfC2elCPTl7NUTYsG
=UesM
-----END PGP SIGNATURE-----


From fauno at endefensadelsl.org  Sun Jun 28 23:02:53 2015
From: fauno at endefensadelsl.org (fauno)
Date: Sun, 28 Jun 2015 20:02:53 -0300
Subject: [Dev] Nonfree AUR Packages
In-Reply-To: <55907074.2050307@cryptolab.net>
References: <55907074.2050307@cryptolab.net>
Message-ID: <87a8vjphb6.fsf@endefensadelsl.org>

Kuba Kukielka <kzer-za at cryptolab.net> writes:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello!
>
> Using a program named `aurlist`, some sed commands and a php script, I
> compiled a list of every single package in AUR 3.
>
> - - https://d.maxfile.ro/cknuewoqlk.out
>
> With this, I wrote a php script that downloaded every single PKGBUILD
> in the AUR repo. And then used yet another php script to sort them
> into folders based of the license tag in the PKGBUILD. I compiled a
> list of nonfree packages my script found (there are probably more). My
> script is not 100% accurate so I need to go through it manually.
>
> My list is on a etherpad.
>
> - - https://pad.riseup.net/p/nonfree_aur
>
> I've not finished it yet so any contribution is welcome.
>
> (Note that this does not include AUR 4)
>
> Here are some status of the current folders.
>
> - - free = 48,216 packages
> - - nonfree = 297 packages
> - - custom = 5,265 packages
> - - other = 3,646 packages

very cool! but please take into account that because the pkgbuild's
license says it's free, it doesn't necessarily means the source code
is.

i've found several packages where the maintainer just left the default
value, or didn't even check, so i'm guessing many of the 48k free
packages are really mislabeled.

still, great work!

-- 
.o?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 584 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150628/34996ddb/attachment.sig>

From kzer-za at cryptolab.net  Mon Jun 29 15:42:28 2015
From: kzer-za at cryptolab.net (Kuba Kukielka)
Date: Mon, 29 Jun 2015 15:42:28 +0000
Subject: [Dev] Nonfree AUR Packages
In-Reply-To: <5590FEBB.8000406@cryptolab.net>
References: <5590FEBB.8000406@cryptolab.net>
Message-ID: <55916764.4040007@cryptolab.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 28/06/15 23:02, fauno wrote:
> Kuba Kukielka <kzer-za at cryptolab.net> writes:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> Hello!
>> 
>> Using a program named `aurlist`, some sed commands and a php 
>> script, I compiled a list of every single package in AUR 3.
>> 
>> - - https://d.maxfile.ro/cknuewoqlk.out
>> 
>> With this, I wrote a php script that downloaded every single 
>> PKGBUILD in the AUR repo. And then used yet another php script
>> to sort them into folders based of the license tag in the
>> PKGBUILD. I compiled a list of nonfree packages my script found
>> (there are probably more). My script is not 100% accurate so I
>> need to go through it manually.
>> 
>> My list is on a etherpad.
>> 
>> - - https://pad.riseup.net/p/nonfree_aur
>> 
>> I've not finished it yet so any contribution is welcome.
>> 
>> (Note that this does not include AUR 4)
>> 
>> Here are some status of the current folders.
>> 
>> - - free = 48,216 packages - - nonfree = 297 packages - - custom 
>> = 5,265 packages - - other = 3,646 packages
> 
> very cool! but please take into account that because the pkgbuild's
> license says it's free, it doesn't necessarily means the source
> code is.
> 
> i've found several packages where the maintainer just left the 
> default value, or didn't even check, so i'm guessing many of the 
> 48k free packages are really mislabeled.
> 
> still, great work!
> 

Thanks!

I'm going to finish checking the lost today, it's tedious but it has
to be done.

I know that a lot of the free packages are nonfree but it is really
difficult/time-wasting to co through them all.

The only may I can think of doing this semi-automatically is by making
a script that finds the source, downloads it and then tries to find
the LICENSE/COPYING file. If successful, it will print out the
license, the license would be analysed  by me and then the file would
get moved to a free/nonfree folder. If my script did not find a
LICENSE, it would move it into a no_license folder.

I might take a look in the other folder and add some of the more less
popular licenses.

I also came across a problem, my script moved the file to nonfree if
the PKGBUILD had "none" in it, meaning no license. This package called
`cava` was labelled "no license" but after looking at the source, it
wan the MIT license.

But that's what you have to deal with if you are working with
user-generated content.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVkWdVAAoJEI2NIwdfk/klvVcQAIM8BExBVXzgdmfwFY2AaD5y
mJ8b9RvN+Sj+2i8DvehDGDZFHXMnOCpJz3QyW0jIHGbaGbOo4aVZudShtYVs2I2p
/4WAHBewYhfU/FihpSvcV3jph3ALdWd3ZQCdOn/VfSzh2eCkIKjqD9MjZuBUjn5m
bXWa84F+loCw+bq0vRLdU20EgfPNe5r+ZxS5EK185XQUz8MSs0yVcrJnD4efrcte
agsOiQreWWBiKsWDVvtGigOp2vWCrKz/npejlEah7jAQB+O0Edwqv17rC/oASv2K
ZpUUxuXHvWqJF/T9oRL89Kxuz9V/swGcwrCNlFW0ioLCvsvxl/Sb6w0Yv9noQ5qP
F8lXeXIPoku8HX+Rb6bJ0evQ35hErumxHmGJg5SWLyzhyZwF1QHvoM4jNFMu3Jrt
jCfUW7C1Z/orQmh/OntERDpcsgtbK4wid5hkQRfhKWsjf+fcO5TDeupCTEnrbEDb
W1VFi02FAwymCxP+K0hVlIvBF+gbyYrfDZg6RsIwBwC19fAGMfvgY4aNth6DWjkl
pCwkP3+ZEKooW93nwi1csAgnhkeMbZ0Neq5RCrKjx0wZShiuDL5YTtg4ANBsg03R
B/2rdVpLAyZbSULOLfEqQ//sdHOLs/BHDYZCQhdezQOGxTp1iIT1WHehMAhgdZy+
v4k3IDQ2/tMOXYyK7H9k
=Xq9R
-----END PGP SIGNATURE-----


From kzer-za at cryptolab.net  Mon Jun 29 15:48:52 2015
From: kzer-za at cryptolab.net (Kuba Kukielka)
Date: Mon, 29 Jun 2015 15:48:52 +0000
Subject: [Dev] Nonfree AUR Packages
In-Reply-To: <5590FEBB.8000406@cryptolab.net>
References: <55907074.2050307@cryptolab.net>
 <87a8vjphb6.fsf@endefensadelsl.org> <5590FEBB.8000406@cryptolab.net>
Message-ID: <559168E4.1050409@cryptolab.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 29/06/15 08:15, Kuba Kukielka wrote:
> 
> 
> On 28/06/15 23:02, fauno wrote:
>> Kuba Kukielka <kzer-za at cryptolab.net> writes:
> 
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>> 
>>> Hello!
>>> 
>>> Using a program named `aurlist`, some sed commands and a php 
>>> script, I compiled a list of every single package in AUR 3.
>>> 
>>> - - https://d.maxfile.ro/cknuewoqlk.out
>>> 
>>> With this, I wrote a php script that downloaded every single 
>>> PKGBUILD in the AUR repo. And then used yet another php script
>>> to sort them into folders based of the license tag in the
>>> PKGBUILD. I compiled a list of nonfree packages my script found
>>> (there are probably more). My script is not 100% accurate so I
>>> need to go through it manually.
>>> 
>>> My list is on a etherpad.
>>> 
>>> - - https://pad.riseup.net/p/nonfree_aur
>>> 
>>> I've not finished it yet so any contribution is welcome.
>>> 
>>> (Note that this does not include AUR 4)
>>> 
>>> Here are some status of the current folders.
>>> 
>>> - - free = 48,216 packages - - nonfree = 297 packages - -
>>> custom = 5,265 packages - - other = 3,646 packages
> 
>> very cool! but please take into account that because the 
>> pkgbuild's license says it's free, it doesn't necessarily means
>> the source code is.
> 
>> i've found several packages where the maintainer just left the 
>> default value, or didn't even check, so i'm guessing many of the 
>> 48k free packages are really mislabeled.
> 
>> still, great work!
> 
> 
> Thanks!
> 
> I'm going to finish checking the list today, it's tedious but it
> has to be done.
> 
> I know that a lot of the free packages are nonfree but it is
> really difficult/time-wasting to co through them all.
> 
> The only may I can think of doing this semi-automatically is by
> making a script that finds the source, downloads it and then tries
> to find the LICENSE/COPYING file. If successful, it will print out
> the license, the license would be analysed  by me and then the file
> would get moved to a free/nonfree folder. If my script did not find
> a LICENSE, it would move it into a no_license folder.
> 
> I might take a look in the other folder and add some of the more
> less popular licenses.
> 
> I also came across a problem, my script moved the file to nonfree
> if the PKGBUILD had "none" in it, meaning no license. This package
> called `cava` was labelled "no license" but after looking at the
> source, it wan the MIT license.
> 
> But that's what you have to deal with if you are working with 
> user-generated content.
> 

I finished looking over the list, may someone look over my pad and add
the packages with the plus (+) next to them to the blacklist please?

- - https://pad.riseup.net/p/nonfree_aur

I would also like someone to look over the packages with a (?) or (-)
to see if they are free or not.

I might also consider doing AUR 4 too.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVkWjbAAoJEI2NIwdfk/klw40P/ilNLNB+yyXcJ/4P121l21YA
2oIddKLVIo3wmcBN1d+7KUgJ+9z1WDwefy/iCQOaOf7ELKR4Tvrdr7AU/GpDIZUy
Tao+33P/h9yLE3OegEldOHKTIdP0YawH/vbU6ZLDjROyS0iGWDzb2NUsxrPEvh0g
3+u/iubCRJTXmNP4cagd6CueMZ+E007wBimNjf2semID0rduJTMNZv7Wx8KyBpjn
3CqxVnyXrsQwBHVDFZmQzBSchyJBk9OhWM1ExHX1wOxG9mHFLWZY7McAkVu++meQ
VCvkV6oizCtNJUTW2jHitGEC9iqvq+hRrkW5rPGQAQ/418guTsaqYz5SNOg/k9Vi
1hLMysPGlO4HQP6hLX9ZOar1U4eCKWC7DY0rK6h2YLKfIRmItoAswiFuRTMqGcOD
wN2JWEYMhaC+BvNzZwPu1ocistofUN8XHv78I7hBlBf4yYd5HOt4klJ7WmNqdCJm
xvIxSb7PDh9JPKYOLxZM2Jtn/jUjFx+V3735A5Mjmr2UWp74tverZQ8+3+/zGqvd
Cscy9x2lNR5lDWWRzCLo0bAT/C0iRcrS3ReBkJKwZHFlzOZuNP+OvWgYiDUKiOX1
onJUmGr/mBiNFy20+IDfmCUVrBq5MI9RIhmwxK0bqEhYM5onWoh/EXFW3Yq6fTbg
FeO/+mXatu66WDq868uD
=asoT
-----END PGP SIGNATURE-----


From icarious at hacari.org  Tue Jun 30 23:06:02 2015
From: icarious at hacari.org (Icarious)
Date: Wed, 1 Jul 2015 04:36:02 +0530
Subject: [Dev] Main live Installation media 2015.07.01 (i686 and x86_64)
	Released
Message-ID: <20150701043602.0047e18e6fb1286aeaedb3b1@hacari.org>

parabola-2015.07.01-dual.iso released. The checksum file will be signed from now on. 

Once you've downloaded an image, you can check:

a) that its checksum matches that is expected from the checksum file; and
b) that the checksum file has not been tampered with. 

-- 
Icarious
GPG Public Key : 0x4428BA28AA2ACCD2
GPG Fingerprint : 6C37 E88E DD0B F042 7A15  676E 4428 BA28 AA2A CCD2
www.gnuos.in
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150701/88db3a5c/attachment.sig>