From nobody at parabola.nu Sat Oct 1 00:31:39 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Sat, 01 Oct 2016 00:31:39 -0000 Subject: [Dev] Orphan Libre package [linux-libre-grsec] marked out-of-date Message-ID: <20161001003139.1051.55295@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * linux-libre-grsec 1:4.7.4_gnu.r201609152234-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec/ * linux-libre-grsec 1:4.7.5_gnu.r201609261522-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec/ * linux-libre-grsec 1:4.7.5_gnu.r201609261522-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec/ * linux-libre-grsec-docs 1:4.7.4_gnu.r201609152234-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.5_gnu.r201609261522-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.5_gnu.r201609261522-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-docs/ * linux-libre-grsec-headers 1:4.7.4_gnu.r201609152234-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.5_gnu.r201609261522-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.5_gnu.r201609261522-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-headers/ The user provided the following additional text: Grsecurity has released a patch for 4.7.6 From lukeshu at sbcglobal.net Sat Oct 1 22:15:39 2016 From: lukeshu at sbcglobal.net (Luke Shumaker) Date: Sat, 01 Oct 2016 18:15:39 -0400 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> Message-ID: <874m4vk96c.wl-lukeshu@sbcglobal.net> On Fri, 30 Sep 2016 16:01:51 -0400, Alejandro Hern?ndez wrote: > "Parabola.nu" must go to independent end of their performance > because it corresponds to our main server where the bandwidth > we need to raise our packages and develop. It doesn't really use much of our bandwidth anymore. Unless you stick ?noredirect at the end of the URL (which pacman doesn't do), then it redirects you to a mirror for package files. The only thing it serves directly is the .db files (and very new package files that have not yet been mirrored). But I'm game for not shipping a static mirrorlist anymore. Why not do what Arch does? -- Happy hacking, ~ Luke Shumaker From ingegnue at riseup.net Sat Oct 1 23:33:46 2016 From: ingegnue at riseup.net (IngeGNUe) Date: Sat, 1 Oct 2016 19:33:46 -0400 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> Message-ID: <57483336-b10a-26dc-c981-4cf62a1dcf01@riseup.net> On 09/30/2016 04:01 PM, Alejandro Hern?ndez wrote: > > > > Therefore, it should be created a script that obtains the information > from the web https://www.parabola.nu/mirrorlist/ and then apply the > additional custom criteria for obtaining file 'mirrorlist'. And that > will run periodically (daily?). [SCRIPT TO OBTAIN THE OPTIMIZED > 'MIRRORLIST'] > > Thanks. > > > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev > You can do this with the reflector package (script) and even create a bash alias in your .bashrc for quick mirror list updating. For example: alias mirr='sudo reflector --verbose --sort rate --save /etc/pacman.d/mirrorlist' From alejandrohp at openmailbox.org Sat Oct 1 23:55:21 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Sun, 02 Oct 2016 01:55:21 +0200 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <874m4vk96c.wl-lukeshu@sbcglobal.net> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> <874m4vk96c.wl-lukeshu@sbcglobal.net> Message-ID: <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> El 2016-10-02 00:15, Luke Shumaker escribi?: > On Fri, 30 Sep 2016 16:01:51 -0400, > Alejandro Hern?ndez wrote: >> "Parabola.nu" must go to independent end of their performance >> because it corresponds to our main server where the bandwidth >> we need to raise our packages and develop. > > It doesn't really use much of our bandwidth anymore. Unless you stick > ?noredirect at the end of the URL (which pacman doesn't do), then it > redirects you to a mirror for package files. The only thing it serves > directly is the .db files (and very new package files that have not > yet been mirrored). > > But I'm game for not shipping a static mirrorlist anymore. Why not do > what Arch does? Wow! You're right. I've found some arch info: Mirrors: https://wiki.archlinux.org/index.php/Mirrors And 'Reflector' package. Script which can retrieve the latest mirror list from the MirrorStatus web page, filter the most up-to-date mirrors, sort them by speed and overwrite the file /etc/pacman.d/mirrorlist: https://wiki.archlinux.org/index.php/Reflector And I've read that distributions like 'Bridge Linux' (Arch based) incorporates 'reflector' into the update process by default. ? I think that is what Parabola needs. Thanks. From ingegnue at riseup.net Sat Oct 1 23:57:24 2016 From: ingegnue at riseup.net (IngeGNUe) Date: Sat, 1 Oct 2016 19:57:24 -0400 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> <874m4vk96c.wl-lukeshu@sbcglobal.net> <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> Message-ID: On 10/01/2016 07:55 PM, Alejandro Hern?ndez wrote: > El 2016-10-02 00:15, Luke Shumaker escribi?: >> On Fri, 30 Sep 2016 16:01:51 -0400, >> Alejandro Hern?ndez wrote: >>> "Parabola.nu" must go to independent end of their performance >>> because it corresponds to our main server where the bandwidth >>> we need to raise our packages and develop. >> >> It doesn't really use much of our bandwidth anymore. Unless you stick >> ?noredirect at the end of the URL (which pacman doesn't do), then it >> redirects you to a mirror for package files. The only thing it serves >> directly is the .db files (and very new package files that have not >> yet been mirrored). >> >> But I'm game for not shipping a static mirrorlist anymore. Why not do >> what Arch does? > > > Wow! You're right. I've found some arch info: > Mirrors: > https://wiki.archlinux.org/index.php/Mirrors > > And 'Reflector' package. Script which can retrieve the latest mirror > list from the MirrorStatus web page, filter the most up-to-date mirrors, > sort them by speed and overwrite the file /etc/pacman.d/mirrorlist: > https://wiki.archlinux.org/index.php/Reflector > > And I've read that distributions like 'Bridge Linux' (Arch based) > incorporates 'reflector' into the update process by default. ? I think > that is what Parabola needs. > > Thanks. > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev As I said, Parabola has it already. pacman -Ss reflector From alejandrohp at openmailbox.org Sun Oct 2 00:10:23 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Sun, 02 Oct 2016 02:10:23 +0200 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> <874m4vk96c.wl-lukeshu@sbcglobal.net> <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> Message-ID: El 2016-10-02 01:57, IngeGNUe escribi?: > On 10/01/2016 07:55 PM, Alejandro Hern?ndez wrote: >> El 2016-10-02 00:15, Luke Shumaker escribi?: >>> On Fri, 30 Sep 2016 16:01:51 -0400, >>> Alejandro Hern?ndez wrote: >>>> "Parabola.nu" must go to independent end of their performance >>>> because it corresponds to our main server where the bandwidth >>>> we need to raise our packages and develop. >>> >>> It doesn't really use much of our bandwidth anymore. Unless you >>> stick >>> ?noredirect at the end of the URL (which pacman doesn't do), then it >>> redirects you to a mirror for package files. The only thing it >>> serves >>> directly is the .db files (and very new package files that have not >>> yet been mirrored). >>> >>> But I'm game for not shipping a static mirrorlist anymore. Why not >>> do >>> what Arch does? >> >> >> Wow! You're right. I've found some arch info: >> Mirrors: >> https://wiki.archlinux.org/index.php/Mirrors >> >> And 'Reflector' package. Script which can retrieve the latest mirror >> list from the MirrorStatus web page, filter the most up-to-date >> mirrors, >> sort them by speed and overwrite the file /etc/pacman.d/mirrorlist: >> https://wiki.archlinux.org/index.php/Reflector >> >> And I've read that distributions like 'Bridge Linux' (Arch based) >> incorporates 'reflector' into the update process by default. ? I think >> that is what Parabola needs. >> >> Thanks. >> >> >> >> _______________________________________________ >> Dev mailing list >> Dev at lists.parabola.nu >> https://lists.parabola.nu/mailman/listinfo/dev > > As I said, Parabola has it already. pacman -Ss reflector > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev I do not mean that the user who use reflector. But it to be Parabola OS internally that uses 'reflector' each time it is needed to use the mirrorlist file. ? From emulatorman at riseup.net Sun Oct 2 12:11:51 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Sun, 2 Oct 2016 09:11:51 -0300 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> <874m4vk96c.wl-lukeshu@sbcglobal.net> <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> Message-ID: <57e0133e-5590-3686-0556-3cb7d62f83e3@riseup.net> On 10/01/2016 08:55 PM, Alejandro Hern?ndez wrote: > Wow! You're right. I've found some arch info: > Mirrors: > https://wiki.archlinux.org/index.php/Mirrors > > And 'Reflector' package. Script which can retrieve the latest mirror > list from the MirrorStatus web page, filter the most up-to-date mirrors, > sort them by speed and overwrite the file /etc/pacman.d/mirrorlist: > https://wiki.archlinux.org/index.php/Reflector > > And I've read that distributions like 'Bridge Linux' (Arch based) > incorporates 'reflector' into the update process by default. ? I think > that is what Parabola needs. It could be solved adding reflector to base group [0][1] What do you think guys? [0]:https://wiki.archlinux.org/index.php/Makepkg#Usage [1]:https://wiki.archlinux.org/index.php/Frequently_asked_questions#When_will_the_new_release_be_made_available.3F -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From nobody at parabola.nu Mon Oct 3 11:39:17 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Mon, 03 Oct 2016 11:39:17 -0000 Subject: [Dev] Orphan Libre package [handbrake] marked out-of-date Message-ID: <20161003113917.1051.47997@parabola.nu> alessi at robertalessi.net wants to notify you that the following packages may be out-of-date: * handbrake 0.10.5-2.parabola2 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/handbrake/ * handbrake 0.10.5-2.parabola2 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/handbrake/ * handbrake 0.10.5-2.parabola2 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/handbrake/ * handbrake-cli 0.10.5-2.parabola2 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/handbrake-cli/ * handbrake-cli 0.10.5-2.parabola2 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/handbrake-cli/ * handbrake-cli 0.10.5-2.parabola2 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/handbrake-cli/ The user provided the following additional text: Handbrake needs to be recompiled with the latest libx265. Many thanks to the maintainers! -- Robert From fauno at endefensadelsl.org Mon Oct 3 20:32:11 2016 From: fauno at endefensadelsl.org (fauno) Date: Mon, 03 Oct 2016 17:32:11 -0300 Subject: [Dev] [due 2016-10-10]; donations thank you list Message-ID: <87fuodtbqs.fsf@endefensadelsl.org> hi! since we started receiving donations, we're maintaining a thank you list[0] where we put people's names and donations. donors have the option to be listed as anonymous too. so far tct has been sending me new donations and then i go and update the wiki page. this has been been working more or less ok but lately i don't even have the time to keep up with the wiki page so new donations are delayed. sometimes we receive funny donations, such as 1EUR donations, where most of the donations goes to cover Paypal expenses. Today we had such a case that smelled fishy (publicity), so we were talking about this: * Just put the person's name on the thank you list instead of a mention per donation * Keep accounting separately, on an adequate file (a gnu cash file attached to the wiki for transparency). * Set a minimum donation for appearing on the thank you list (perhaps 10 USD or equivalent? just to fend off publicity) What do you think? [0]: https://wiki.parabola.nu/Donations#Thanks.21 -- :> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From g4jc at openmailbox.org Mon Oct 3 23:30:44 2016 From: g4jc at openmailbox.org (Luke) Date: Mon, 3 Oct 2016 19:30:44 -0400 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo Message-ID: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> Hello, As many of you know there were various hardening patches to IceWeasel and IceDove recently. These patches were done by myself and gleaned from other reliable sources such as TBB and PrivacyTools.io[1], as well as consulting the Mozilla wiki. Unfortunately, it has caused breakage on some websites[2][3] and degraded user experience. This is to be expected, as the web becomes less privacy-friendly, and more centralized/data-centric. A quick run down of notable patches[4]: 1) Disable Telemetry for good (it was previously storing all the telemetry data and probing your OS ever 2 minutes or so, including open tabs and websites for 'analytical purposes') 2) Disable Balrog/AUS5, Mozilla's new non-transparent remote update mechanism that fingerprints the user. 3) Disable Facial Recognition, Speech Recognition, and Virtual Reality API. 4) Disable various data leaks and remote updates, attempt to completely stop Google from being queried and downloading their "safe-browsing" list for every page you visit. 5) Stop IP leaks caused by WebRTC, WebSockets, and Captive Portal Detection. 6) Disable DOM Storage due to many privacy concerns and it being off in all modern versions of TBB. 7) Disable weak hash and broken SSL implementation which do not prevent eaves droppers from reading the page. _- So this puts the nonprism projects at a crossroads. Do we want to favour accessibility and "features" over "privacy"?_ From my personal opinion, nonprism should provide security and privacy by default. Users can choose to opt-out of nonprism if they wish. This is easily done by A) not using nonprism, or B) using about:config and/or user.js to override the settings. Meanwhile, some users have questioned why nonprism is not on by default[5], and I think this is a valid point from a security standpoint. Users may be using Parabola under the impression they are experiencing the safest possible defaults, and this is currently not the case. 1. https://www.privacytools.io/#about_config 2. https://labs.parabola.nu/issues/1113 3. https://labs.parabola.nu/issues/1114 4. https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js / https://git.parabola.nu/abslibre.git/plain/nonprism-testing/iceweasel/vendor.js 5. https://labs.parabola.nu/issues/1093#note-3 Now that everyone is aware of the issues, please discuss. I do not feel [nonprism] should become "privacy-lite" and libre become "no protection at all". Luke -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From g4jc at openmailbox.org Tue Oct 4 00:25:35 2016 From: g4jc at openmailbox.org (Luke) Date: Mon, 3 Oct 2016 20:25:35 -0400 Subject: [Dev] [consensus due 10-24-16] Features vs. Privacy in nonprism repo In-Reply-To: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> Message-ID: <607acd38-8fe8-13bc-3133-2c0cdcd5a0e5@openmailbox.org> > Hello, > As many of you know there were various hardening patches to IceWeasel > and IceDove recently. These patches were done by myself and gleaned > from other reliable sources such as TBB and PrivacyTools.io[1], as > well as consulting the Mozilla wiki. > > Unfortunately, it has caused breakage on some websites[2][3] and > degraded user experience. This is to be expected, as the web becomes > less privacy-friendly, and more centralized/data-centric. > > A quick run down of notable patches[4]: > > 1) Disable Telemetry for good (it was previously storing all the > telemetry data and probing your OS ever 2 minutes or so, including > open tabs and websites for 'analytical purposes') > > 2) Disable Balrog/AUS5, Mozilla's new non-transparent remote update > mechanism that fingerprints the user. > > 3) Disable Facial Recognition, Speech Recognition, and Virtual Reality > API. > > 4) Disable various data leaks and remote updates, attempt to > completely stop Google from being queried and downloading their > "safe-browsing" list for every page you visit. > > 5) Stop IP leaks caused by WebRTC, WebSockets, and Captive Portal > Detection. > > 6) Disable DOM Storage due to many privacy concerns and it being off > in all modern versions of TBB. > > 7) Disable weak hash and broken SSL implementation which do not > prevent eaves droppers from reading the page. > > > _- So this puts the nonprism projects at a crossroads. Do we want to > favour accessibility and "features" over "privacy"?_ > > From my personal opinion, nonprism should provide security and privacy > by default. Users can choose to opt-out of nonprism if they wish. This > is easily done by A) not using nonprism, or B) using about:config > and/or user.js to override the settings. > > Meanwhile, some users have questioned why nonprism is not on by > default[5], and I think this is a valid point from a security > standpoint. Users may be using Parabola under the impression they are > experiencing the safest possible defaults, and this is currently not > the case. > > 1. https://www.privacytools.io/#about_config > > 2. https://labs.parabola.nu/issues/1113 > > 3. https://labs.parabola.nu/issues/1114 > > 4. > https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js > / > https://git.parabola.nu/abslibre.git/plain/nonprism-testing/iceweasel/vendor.js > > 5. https://labs.parabola.nu/issues/1093#note-3 > > > Now that everyone is aware of the issues, please discuss. I do not > feel [nonprism] should become "privacy-lite" and libre become "no > protection at all". > > > Luke > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev I have helped Emulatorman add a post-install notice to nonprism packages to notify users of hardening and a link to this thread. Also I forgot to mention a consensus cut off date. Please reach consensus by October 24th 2016. Luke -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From isacdaavid at isacdaavid.info Tue Oct 4 04:48:32 2016 From: isacdaavid at isacdaavid.info (Isaac David) Date: Mon, 03 Oct 2016 23:48:32 -0500 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> Message-ID: <1475556512.1218.0@plebeian.isacdaavid.info> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Le lun. 3 oct. 2016 ? 18:30, Luke a ?crit : > - So this puts the nonprism projects at a crossroads. Do we want to favour accessibility and "features" over "privacy"? > > From my personal opinion, nonprism should provide security and privacy by default. Users can choose to opt-out of nonprism if they wish. This is easily done by A) not using nonprism, or B) using about:config and/or user.js to override the settings. > Meanwhile, some users have questioned why nonprism is not on by default[5], and I think this is a valid point from a security standpoint. Users may be using Parabola under the impression they are experiencing the safest possible defaults, and this is currently not the case. [...] > Now that everyone is aware of the issues, please discuss. I do not feel [nonprism] should become "privacy-lite" and libre become "no protection at all". > > Luke Agreed. I'm for having those `nonprism` packages respect the spirit of the repo they belong to, even if that means breaking websites that could undermine user privacy. That's exactly what using `nonprism` entails. The moment you start making concessions the moment better informed users of `nonprism` will complain that hardening isn't nearly as good as it could be. Maybe this is a failure of communication from our part, but I can't think of a simpler and more instructive solution than that post-install notice. Users won't even need to know in advance what they are doing as they activate the repo --- and I say it with some regret ---. I'm also for keeping default Parabola as Arch-like an experience as permitted by the social contract. Translation: I'd rather keep `nonprism` opt-in. - -- Isaac David GPG: 38D33EF29A7691134357648733466E12EC7BA943 Tox: 0C730E0156E96E6193A1445D413557FF5F277BA969A4EA20AC9352889D3B390E77651E816F0C -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX8zPzAAoJEDNGbhLse6lDvI4P/1m+ZZDoDsTzcGlaYmdwot5t xkXTdNFZqPpxc58+aXqfeJfr3W3n9gI+6Ot+43GPCDE1nmtLxLZEOGkPX6FSKm9M 344ljEMaodEJ4f83UwlEayVNjHjNsGP3EeoeH6plg4F98wnNcNkp43AwoVtM4FUD zqEQa4rPP6bNoPxqnpBJWPtZj5to1lcSvHlK7jQpSPGM7P5Lf59nWlua+HDMXX4Z ChmTofGk4d0lpjCoIpijuY+Ro8bI/9J+ZEQbNvGbgC6wleUlkk7FKCxIs2OqipMj tD8D7QQEWdGh3rtnJwXxb7RHGMxpBLeRJeOGM6T4DgfzDV8wMLVPotFPINQPFDnX jCE5MkvmT3NYCEkHcBelLillu2LmVzT+eL9ae7cnI2VRt576pq9HNz2J8p5uiWbJ 9MKsq8eYrZYiOJ4dcDn0wEYRx9E9pGYhfLKMkr7RrGuuN8hwSyrwBVLLSh4KxBf/ WHN9viToINx2QBkCMJExA+nm8+ZrfNgogMLF1bUuJ2lrSrjCXbD4gC0TJkru0BFB Bj4iCJcO+mnA33fJqCK2gzmPmNpU6qNHb+1sUaNdowUb8FJaAqbPARWcHHQZ3pVN guEGAGUhbCO7gUSlv3KJcpQ0ZWvM5wCRRXh5GGMz+TvVE2eg84/KIKVBcy/hEVGF YLpprMzGDdEmjCKm4j37 =XBno -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From fauno at endefensadelsl.org Tue Oct 4 03:06:49 2016 From: fauno at endefensadelsl.org (fauno) Date: Tue, 04 Oct 2016 00:06:49 -0300 Subject: [Dev] Parabola OpenRC In-Reply-To: <453e4504-ecbd-7e81-4859-f19f5e3ca7a2@openmailbox.org> References: <453e4504-ecbd-7e81-4859-f19f5e3ca7a2@openmailbox.org> Message-ID: <87d1jgu81i.fsf@endefensadelsl.org> Megver83 writes: > Last time I did a proposal was when I recommended the creation of a forum > https://lists.parabola.nu/pipermail/assist/2016-September/000732.html > some people answered, most of them liked the idea, but I got no answer > from the website developers or the people in charge of that. Maybe last > time my proposal was no very well elaborated, but that?s not a reason to > leave me and anyone without answer. I didn?t like that, but I that > doesn?t repeat. > > Thanks in advance. Feel free to opine about this proposal! hey! have you been around the irc channel? i believe there's people working on openrc packages for quite some time... can't think of a name right now, but just join #parabola @ freenode and ask around :) -- P) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From hahj87 at gmail.com Tue Oct 4 16:36:39 2016 From: hahj87 at gmail.com (Joshua Haase) Date: Tue, 04 Oct 2016 11:36:39 -0500 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> Message-ID: <87mvik9ilk.fsf@riseup.net> Luke writes: > _- So this puts the nonprism projects at a crossroads. Do we want to > favour accessibility and "features" over "privacy"?_ I think non-prism should be expected to favour privacy and break sites where needed. > From my personal opinion, nonprism should provide security and privacy > by default. Users can choose to opt-out of nonprism if they wish. This > is easily done by A) not using nonprism, or B) using about:config and/or > user.js to override the settings. I'd rather have nonprism as opt-in. When using Parabola GNU/Linux-libre you customize your system and it's trivial to change your packages from [libre] to [nonprism]. From mariqueerta at bastardi.net Tue Oct 4 16:54:40 2016 From: mariqueerta at bastardi.net (manu) Date: Tue, 4 Oct 2016 18:54:40 +0200 Subject: [Dev] Parabola OpenRC In-Reply-To: <87d1jgu81i.fsf@endefensadelsl.org> References: <453e4504-ecbd-7e81-4859-f19f5e3ca7a2@openmailbox.org> <87d1jgu81i.fsf@endefensadelsl.org> Message-ID: <0b24430c-bb27-995c-ac13-61d627b3196f@bastardi.net> I agree with this. I'd like to make a clean install of Parabola with OpenRC. I thought it sometime. On 04/10/16 05:06, fauno wrote: > Megver83 writes: >> Last time I did a proposal was when I recommended the creation of a forum >> https://lists.parabola.nu/pipermail/assist/2016-September/000732.html >> some people answered, most of them liked the idea, but I got no answer >> from the website developers or the people in charge of that. Maybe last >> time my proposal was no very well elaborated, but that?s not a reason to >> leave me and anyone without answer. I didn?t like that, but I that >> doesn?t repeat. >> >> Thanks in advance. Feel free to opine about this proposal! > > hey! have you been around the irc channel? i believe there's people > working on openrc packages for quite some time... can't think of a name > right now, but just join #parabola @ freenode and ask around :) > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From alejandrohp at openmailbox.org Tue Oct 4 18:39:02 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Tue, 04 Oct 2016 20:39:02 +0200 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <87mvik9ilk.fsf@riseup.net> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> Message-ID: <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> El 2016-10-04 18:36, Joshua Haase escribi?: > Luke writes: > >> _- So this puts the nonprism projects at a crossroads. Do we want to >> favour accessibility and "features" over "privacy"?_ > > I think non-prism should be expected to favour privacy and break sites > where needed. > >> From my personal opinion, nonprism should provide security and privacy >> by default. Users can choose to opt-out of nonprism if they wish. This >> is easily done by A) not using nonprism, or B) using about:config >> and/or >> user.js to override the settings. > > I'd rather have nonprism as opt-in. > > When using Parabola GNU/Linux-libre you customize your system and it's > trivial to change your packages from [libre] to [nonprism]. > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev [PCR repo] I don't understand why libre-software packages, apparently respectful with user rights and stable are not available for all users. ? That's why I think 'PCR' repository should be activated by default. And if they are unstable packages, they should go into another repo like 'pcr-testing'. [nonprism repo] Libre Software is not only about a license, but about respect for user rights. That's why we use it and we've all previously decided that rights are before than features. We want to take advantage of such features (like ubication) but not at cost of giving this info to others who use it against users. Nonprism packages replace other packages in the same way that libre packages do. So I think 'nonprism' repo should also be activated by default. Thanks, From alejandrohp at openmailbox.org Tue Oct 4 19:31:37 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Tue, 04 Oct 2016 21:31:37 +0200 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages Message-ID: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> Hi, I was using 'Icecat' during 4 months. I wrote an email to the developer and I was answered that icecat is not maintained nowadays and it has multiple vulnerabilities. But 'icecat' is available for users into 'libre repo'. Is there a way to put into quarentena non secure or not maintained packages? Not maintained package, with security problems could be into another "(quarentena) repo". Or whatever, but not be (temporarily) available by default for users. ? Thanks, From alejandrohp at openmailbox.org Tue Oct 4 19:39:45 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Tue, 04 Oct 2016 21:39:45 +0200 Subject: [Dev] Parabola OpenRC In-Reply-To: <0b24430c-bb27-995c-ac13-61d627b3196f@bastardi.net> References: <453e4504-ecbd-7e81-4859-f19f5e3ca7a2@openmailbox.org> <87d1jgu81i.fsf@endefensadelsl.org> <0b24430c-bb27-995c-ac13-61d627b3196f@bastardi.net> Message-ID: El 2016-10-04 18:54, manu escribi?: > I agree with this. I'd like to make a clean install of Parabola with > OpenRC. I thought it sometime. > > > On 04/10/16 05:06, fauno wrote: >> Megver83 writes: >>> Last time I did a proposal was when I recommended the creation of a >>> forum >>> https://lists.parabola.nu/pipermail/assist/2016-September/000732.html >>> some people answered, most of them liked the idea, but I got no >>> answer >>> from the website developers or the people in charge of that. Maybe >>> last >>> time my proposal was no very well elaborated, but that?s not a reason >>> to >>> leave me and anyone without answer. I didn?t like that, but I that >>> doesn?t repeat. >>> >>> Thanks in advance. Feel free to opine about this proposal! >> >> hey! have you been around the irc channel? i believe there's people >> working on openrc packages for quite some time... can't think of a >> name >> right now, but just join #parabola @ freenode and ask around :) >> >> >> >> _______________________________________________ >> Dev mailing list >> Dev at lists.parabola.nu >> https://lists.parabola.nu/mailman/listinfo/dev >> > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev Sorry for not responding. I do not have formed an opinion about systemd vs. OpenRC. From hahj87 at gmail.com Tue Oct 4 19:58:38 2016 From: hahj87 at gmail.com (Joshua Haase) Date: Tue, 04 Oct 2016 14:58:38 -0500 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> Message-ID: <87h98rantd.fsf@riseup.net> Alejandro Hern?ndez writes: > [PCR repo] > > I don't understand why libre-software packages, apparently respectful > with user rights and stable are not available for all users. ? That's > why I think 'PCR' repository should be activated by default. And if they > are unstable packages, they should go into another repo like > 'pcr-testing'. +1 > [nonprism repo] > > Libre Software is not only about a license, but about respect for user > rights. That's why we use it and we've all previously decided that > rights are before than features. We want to take advantage of such > features (like ubication) but not at cost of giving this info to others > who use it against users. > > Nonprism packages replace other packages in the same way that libre > packages do. So I think 'nonprism' repo should also be activated by > default. If there is a way to use nonprism by default and install the other version if needed, i'd vote for it to be activated by default. But this repo active by default and stopping you to use the other version is too invasive. From fauno at endefensadelsl.org Tue Oct 4 20:34:23 2016 From: fauno at endefensadelsl.org (fauno) Date: Tue, 04 Oct 2016 17:34:23 -0300 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> Message-ID: <87ponfsvjk.fsf@endefensadelsl.org> maybe you can device a shell script that informs when a package hasn't been updated for some time? it would be a matter of parsing pacman -Si output (or the database directly) Alejandro Hern?ndez writes: > Hi, > > I was using 'Icecat' during 4 months. I wrote an email to the developer > and I was answered that icecat is not maintained nowadays and it has > multiple vulnerabilities. But 'icecat' is available for users into > 'libre repo'. > > Is there a way to put into quarentena non secure or not maintained > packages? > Not maintained package, with security problems could be into another > "(quarentena) repo". Or whatever, but not be (temporarily) available by > default for users. > > ? > > Thanks, > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev -- :> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From fauno at endefensadelsl.org Tue Oct 4 21:02:04 2016 From: fauno at endefensadelsl.org (fauno) Date: Tue, 04 Oct 2016 18:02:04 -0300 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <87h98rantd.fsf@riseup.net> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> <87h98rantd.fsf@riseup.net> Message-ID: <87bmyzsu9f.fsf@endefensadelsl.org> Joshua Haase writes: >> Nonprism packages replace other packages in the same way that libre >> packages do. So I think 'nonprism' repo should also be activated by >> default. > > If there is a way to use nonprism by default and install the other > version if needed, i'd vote for it to be activated by default. > > But this repo active by default and stopping you to use the other > version is too invasive. IMO privacy related changes to packages that don't break things should be applied to any package, so +1 to backport them to [libre] and [pcr]! (for instance, many arch packages contain o=rX permissions for files where they aren't needed... wasn't there an arch-security comitee?) -- :> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From megver83 at openmailbox.org Tue Oct 4 21:02:47 2016 From: megver83 at openmailbox.org (Megver83) Date: Tue, 4 Oct 2016 18:02:47 -0300 Subject: [Dev] Adding Tor Browser to Nonprism repository Message-ID: <47d868ea-c90d-17b6-7dd1-d7a68452add2@openmailbox.org> Hi Parabola developers. I was thinking that it would be a good idea to add Tor browser into the Official repos. I know that nonprism is for replacing packages without services under global data surveillance programs, so maybe it could be added to PCR. It would be a good idea, the packages are in the AUR (you can search tor-browser-yourlanguage) but you can build them from source https://dist.torproject.org/torbrowser/ From alejandrohp at openmailbox.org Tue Oct 4 22:31:22 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Wed, 05 Oct 2016 00:31:22 +0200 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <87ponfsvjk.fsf@endefensadelsl.org> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> Message-ID: <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> El 2016-10-04 22:34, fauno escribi?: > maybe you can device a shell script that informs when a package hasn't > been updated for some time? it would be a matter of parsing pacman -Si > output (or the database directly) > > Alejandro Hern?ndez writes: > >> Hi, >> >> I was using 'Icecat' during 4 months. I wrote an email to the >> developer >> and I was answered that icecat is not maintained nowadays and it has >> multiple vulnerabilities. But 'icecat' is available for users into >> 'libre repo'. >> >> Is there a way to put into quarentena non secure or not maintained >> packages? >> Not maintained package, with security problems could be into another >> "(quarentena) repo". Or whatever, but not be (temporarily) available >> by >> default for users. >> >> ? >> >> Thanks, >> _______________________________________________ >> Dev mailing list >> Dev at lists.parabola.nu >> https://lists.parabola.nu/mailman/listinfo/dev 'pacman -Si' informs about the compilation date by Parabola team. Maybe with an external script... But I'm talking about what to do with detected unsecured (long time) unmaintained packages. I mean packages without updates with security vulnerabilities known. (Like nowadays 'icecat') From GNUtoo at no-log.org Wed Oct 5 13:09:00 2016 From: GNUtoo at no-log.org (Denis 'GNUtoo' Carikli) Date: Wed, 5 Oct 2016 15:09:00 +0200 Subject: [Dev] Adding Tor Browser to Nonprism repository In-Reply-To: <47d868ea-c90d-17b6-7dd1-d7a68452add2@openmailbox.org> References: <47d868ea-c90d-17b6-7dd1-d7a68452add2@openmailbox.org> Message-ID: <20161005150900.6b45ff33.GNUtoo@no-log.org> On Tue, 4 Oct 2016 18:02:47 -0300 Megver83 wrote: > Hi Parabola developers. I was thinking that it would be a good idea to > add Tor browser into the Official repos. I know that nonprism is for > replacing packages without services under global data surveillance > programs, so maybe it could be added to PCR. Wow, very nice. There is a bugreport to add tor-browser to parabola, maybe you could point to such infos there too. Denis. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From emulatorman at riseup.net Fri Oct 7 13:16:41 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Fri, 7 Oct 2016 10:16:41 -0300 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> Message-ID: <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> On 10/04/2016 07:31 PM, Alejandro Hern?ndez wrote: > But I'm talking about what to do with detected unsecured (long time) > unmaintained packages. I mean packages without updates with security > vulnerabilities known. (Like nowadays 'icecat') We could move icecat to [libre-testing] until new version will be released, what do you think guys? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From emulatorman at riseup.net Fri Oct 7 13:21:55 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Fri, 7 Oct 2016 10:21:55 -0300 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <87h98rantd.fsf@riseup.net> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> <87h98rantd.fsf@riseup.net> Message-ID: On 10/04/2016 04:58 PM, Joshua Haase wrote: > Alejandro Hern?ndez writes: >> [PCR repo] >> >> I don't understand why libre-software packages, apparently respectful >> with user rights and stable are not available for all users. ? That's >> why I think 'PCR' repository should be activated by default. And if they >> are unstable packages, they should go into another repo like >> 'pcr-testing'. > > +1 +1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From emulatorman at riseup.net Fri Oct 7 14:20:34 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Fri, 7 Oct 2016 11:20:34 -0300 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: <87bmyzsu9f.fsf@endefensadelsl.org> References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> <87h98rantd.fsf@riseup.net> <87bmyzsu9f.fsf@endefensadelsl.org> Message-ID: On 10/04/2016 06:02 PM, fauno wrote: > IMO privacy related changes to packages that don't break things should > be applied to any package, so +1 to backport them to [libre] and [pcr]! In my opinion, [nonprism] should be optional since it was created to remove a lot of services that uses global data surveillance programs like PRISM [0], XKeyscore [1] and Tempora [2] (eg. Facebook, Twitter, etc) from our apps (eg. nonprism version of pidgin only works with XMPP and IRC). I suppose there are users would use those services from our apps since it is not a GNU FSDG mandatory requirement to remove them. Otherwise, iceweasel/icedove nonprism packages have various patches to increase not just privacy, but yes security too (eg: iceweasel allows whitelisting/blacklisting domains for purposes of cookies, popups, and addon notifiers. With those hardening/security features, iceweasel nonprism version loads, these lists revert to default settings, causing all user-made changes to be lost [3] and a lot of websites doesn't works [4]) Since it are hardening/security features like Grsecurity for our Linux-libre kernels, i propose: a) Backport **only** privacy features from iceweasel/icedove nonprism version created from those patches to libre ones to increase privacy but without break things or services. b) Use those hardening/security patches from iceweasel/icedove nonprism version and push them to new packages called iceweasel-hardening and icedove-hardening in [libre] as optional way for all users similar than our kernels (eg. linux-libre and linux-libre-grsec) c) Remove nonprism iceweasel/icedove packages in [nonprism] because we will have iceweasel-hardening and icedove-hardening and otherwise it will solve this consensus :P [0]:https://en.wikipedia.org/wiki/PRISM_(surveillance_program) [1]:https://en.wikipedia.org/wiki/XKeyscore [2]:https://en.wikipedia.org/wiki/Tempora [3]:https://labs.parabola.nu/issues/1113 [4]:https://labs.parabola.nu/issues/1114 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From xihh at riseup.net Fri Oct 7 14:54:34 2016 From: xihh at riseup.net (Joshua Haase) Date: Fri, 07 Oct 2016 09:54:34 -0500 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> Message-ID: <87y420us45.fsf@riseup.net> Andr? Silva writes: > [ Unknown signature status ] > On 10/04/2016 07:31 PM, Alejandro Hern?ndez wrote: >> But I'm talking about what to do with detected unsecured (long time) >> unmaintained packages. I mean packages without updates with security >> vulnerabilities known. (Like nowadays 'icecat') > > We could move icecat to [libre-testing] until new version will be > released, what do you think guys? Agreed. From fauno at endefensadelsl.org Fri Oct 7 16:25:40 2016 From: fauno at endefensadelsl.org (fauno) Date: Fri, 07 Oct 2016 13:25:40 -0300 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <87y420us45.fsf@riseup.net> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> <87y420us45.fsf@riseup.net> Message-ID: <87a8egp1mj.fsf@endefensadelsl.org> Joshua Haase writes: > Andr? Silva writes: > >> [ Unknown signature status ] >> On 10/04/2016 07:31 PM, Alejandro Hern?ndez wrote: >>> But I'm talking about what to do with detected unsecured (long time) >>> unmaintained packages. I mean packages without updates with security >>> vulnerabilities known. (Like nowadays 'icecat') >> >> We could move icecat to [libre-testing] until new version will be >> released, what do you think guys? > > Agreed. testing is for new, possible unstable packages, not for old and unmaintained. i'd remove them or move them to [unmaintained]. there's lots of unmaintained packages on [pcr] too... -- :D -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From emulatorman at riseup.net Fri Oct 7 16:54:41 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Fri, 7 Oct 2016 13:54:41 -0300 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <87a8egp1mj.fsf@endefensadelsl.org> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> <87y420us45.fsf@riseup.net> <87a8egp1mj.fsf@endefensadelsl.org> Message-ID: <37c71c9f-1cf6-a091-0cec-3bc96882c7cd@riseup.net> > Joshua Haase writes: > >> Andr? Silva writes: > testing is for new, possible unstable packages, not for old and > unmaintained. > > i'd remove them or move them to [unmaintained]. there's lots of > unmaintained packages on [pcr] too... +1 it's a better idea... Otherwise, if [pcr] will be enabled by default, then i suggest we should back some packages from [libre] to [pcr] (eg: grub2-theme-gnuaxiom [0]) [0]:https://git.parabola.nu/abslibre.git/commit/?id=5a1bfe6b536052fbc386dcb0f9a8d4cf991ec5e3 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From g4jc at openmailbox.org Fri Oct 7 21:47:56 2016 From: g4jc at openmailbox.org (Luke) Date: Fri, 7 Oct 2016 17:47:56 -0400 Subject: [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages In-Reply-To: <87a8egp1mj.fsf@endefensadelsl.org> References: <122c00f73c59ce068b8273569f67fba8@openmailbox.org> <87ponfsvjk.fsf@endefensadelsl.org> <53315cf7825bcfe72b3ee11bda13ee55@openmailbox.org> <109d6204-e9f8-e7b0-4f8b-aff53099d882@riseup.net> <87y420us45.fsf@riseup.net> <87a8egp1mj.fsf@endefensadelsl.org> Message-ID: <7486788e-8d9f-b1e4-55d2-fbcf424c32f4@openmailbox.org> > Joshua Haase writes: > >> Andr? Silva writes: >> >>> [ Unknown signature status ] >>> On 10/04/2016 07:31 PM, Alejandro Hern?ndez wrote: >>>> But I'm talking about what to do with detected unsecured (long time) >>>> unmaintained packages. I mean packages without updates with security >>>> vulnerabilities known. (Like nowadays 'icecat') >>> We could move icecat to [libre-testing] until new version will be >>> released, what do you think guys? >> Agreed. > testing is for new, possible unstable packages, not for old and > unmaintained. > > i'd remove them or move them to [unmaintained]. there's lots of > unmaintained packages on [pcr] too... > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev I agree that [libre-testing] isn't the place for old/unmaintained packages. If a package has been completely abandoned upstream and a security vulnerability has been found, it should probably just be removed. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From isacdaavid at isacdaavid.info Fri Oct 7 22:29:45 2016 From: isacdaavid at isacdaavid.info (Isaac David) Date: Fri, 07 Oct 2016 17:29:45 -0500 Subject: [Dev] [due 2016-10-10]; donations thank you list In-Reply-To: <87fuodtbqs.fsf@endefensadelsl.org> References: <87fuodtbqs.fsf@endefensadelsl.org> Message-ID: <1475879385.1965.0@plebeian.isacdaavid.info> Le lun. 3 oct. 2016 ? 15:32, fauno a ?crit : > * Just put the person's name on the thank you list instead of a > mention > per donation but it wouldn't really mitigate targeted spam if the cost of creating and disposing names is low, would it? I could use a different name every time. Which of the currently accepted systems allow named donors to do this? (Maybe this is not an issue practically speaking). On the other hand some legit donations are driven by recognition, to be blunt. Collapsing records by donor may have an impact on the motivations of some future donors. One plausible solution is to track a donor's name along his/her total contribution and last time of contrubution. I don't think it would place an extra burden on you since that information is already being managed *per donation*. Donors would still risk having their contributions misattributed to a homonym, though. > * Keep accounting separately, on an adequate file (a gnu cash file > attached to the wiki for transparency). I think separating the "thank you" list from the directions on how to contribute may do some good regardless of medium (distinct wiki pages vs file attachment) and the contents' format (full donations vs grouping by name). However I don't see much of a difference TBH. > * Set a minimum donation for appearing on the thank you list (perhaps > 10 > USD or equivalent? just to fend off publicity) I believe this is a good idea considering the record. With a sample size of 39, the average donation is at ~84 USD as of now (all currencies weighed in). In terms of spreadness, there're only 2 donations below 10 USD or equivalent ---one is close to it, the other is a complete outlier---. Also a generous anon is heavily biasing that average upwards with a 2 BTC contribution, so 84 USD is way too high, but I think we've got a handle to expect future donors not to be alienated by a reasonable minimum quantity. -- Isaac David GPG: 38D33EF29A7691134357648733466E12EC7BA943 Tox: 0C730E0156E96E6193A1445D413557FF5F277BA969A4EA20AC9352889D3B390E77651E816F0C -------------- next part -------------- An HTML attachment was scrubbed... URL: From nobody at parabola.nu Mon Oct 10 09:44:50 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Mon, 10 Oct 2016 09:44:50 -0000 Subject: [Dev] Orphan Libre package [linux-libre] marked out-of-date Message-ID: <20161010094450.1008.38676@parabola.nu> noe.dupraz at openmailbox.org wants to notify you that the following packages may be out-of-date: * linux-libre 4.7.6_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre/ * linux-libre 4.7.6_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre/ * linux-libre 4.7.6_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre/ * linux-libre-docs 4.7.6_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-docs/ * linux-libre-docs 4.7.6_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-docs/ * linux-libre-docs 4.7.6_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-docs/ * linux-libre-headers 4.7.6_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-headers/ * linux-libre-headers 4.7.6_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-headers/ * linux-libre-headers 4.7.6_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-headers/ The user provided the following additional text: 4.8-gnu stable is out From alejandrohp at openmailbox.org Mon Oct 10 13:59:26 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Mon, 10 Oct 2016 15:59:26 +0200 Subject: [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist' In-Reply-To: <57e0133e-5590-3686-0556-3cb7d62f83e3@riseup.net> References: <7c617d67f9f7ba6b51728714461009db@openmailbox.org> <874m4vk96c.wl-lukeshu@sbcglobal.net> <2defdda20bc2c50d5218c95ad0faddf0@openmailbox.org> <57e0133e-5590-3686-0556-3cb7d62f83e3@riseup.net> Message-ID: <4ce7f01bb5bd8502a0652db27d833a43@openmailbox.org> El 2016-10-02 14:11, Andr? Silva escribi?: > On 10/01/2016 08:55 PM, Alejandro Hern?ndez wrote: >> Wow! You're right. I've found some arch info: >> Mirrors: >> https://wiki.archlinux.org/index.php/Mirrors >> >> And 'Reflector' package. Script which can retrieve the latest mirror >> list from the MirrorStatus web page, filter the most up-to-date >> mirrors, >> sort them by speed and overwrite the file /etc/pacman.d/mirrorlist: >> https://wiki.archlinux.org/index.php/Reflector >> >> And I've read that distributions like 'Bridge Linux' (Arch based) >> incorporates 'reflector' into the update process by default. ? I think >> that is what Parabola needs. > > It could be solved adding reflector to base group [0][1] > > What do you think guys? > > [0]:https://wiki.archlinux.org/index.php/Makepkg#Usage > [1]:https://wiki.archlinux.org/index.php/Frequently_asked_questions#When_will_the_new_release_be_made_available.3F > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev Bottom line of the [Dev] [consensus][due: 2016-10-10] Script to obtain the optimized 'mirrorlist': " > And I've read that distributions like 'Bridge Linux' (Arch based) > incorporates 'reflector' into the update process by default. ? I think > that is what Parabola needs. It could be solved adding reflector to base group [0][1] What do you think guys? [0]:https://wiki.archlinux.org/index.php/Makepkg#Usage [1]:https://wiki.archlinux.org/index.php/Frequently_asked_questions#When_will_the_new_release_be_made_available.3F " * subject to change From adfeno at openmailbox.org Mon Oct 10 14:47:25 2016 From: adfeno at openmailbox.org (Adonay Felipe Nogueira) Date: Mon, 10 Oct 2016 11:47:25 -0300 Subject: [Dev] [News] GNU and Bola comic book titled "IoT" is available in British English language! In-Reply-To: References: <766de3c9-9210-852a-ee17-0c6cf2489b3f@riseup.net> <1473531162.13575.36.camel@adfeno-VPCEG17FB> <1473593949.19103.8.camel@adfeno-VPCEG17FB> Message-ID: <1476110845.3336.4.camel@adfeno-VPCEG17FB> Sorry for resurrecting this discussion, but the translation of the article is ready, and is attached in this email. Respectfully, Adonay. -- # pt-BR: Brasileiro | en: Brazilian * pt-BR: Palestra sobre liberdade de software (movimento filos?fico pol?tico-social, n?o tecnol?gico). * en: Gives talks about software freedom (philosophical, political and social movement, not technological). * pt-BR: Volunt?rio avaliador de liberdade de software (para software pagos ou gratuitos). * en: Volunteer evaluator of software freedom (for paid software, or gratis software). * pt-BR: Presta suporte e consultoria b?sicos sobre software livre. * en: Gives basic support and consulting about free/libre software. ## pt-BR: Sobre mim e contato | en: About me and contact -------------- next part -------------- A non-text attachment was scrubbed... Name: Review - What is Internet of Things.odt Type: application/vnd.oasis.opendocument.text Size: 82061 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: This is a digitally signed message part URL: From lovell.joshyyy at gmail.com Mon Oct 10 22:50:23 2016 From: lovell.joshyyy at gmail.com (Josh Branning) Date: Mon, 10 Oct 2016 23:50:23 +0100 Subject: [Dev] [News] GNU and Bola comic book titled "IoT" is available in British English language! In-Reply-To: <1476110845.3336.4.camel@adfeno-VPCEG17FB> References: <766de3c9-9210-852a-ee17-0c6cf2489b3f@riseup.net> <1473531162.13575.36.camel@adfeno-VPCEG17FB> <1473593949.19103.8.camel@adfeno-VPCEG17FB> <1476110845.3336.4.camel@adfeno-VPCEG17FB> Message-ID: <57FC1B2F.7020808@gmail.com> On 10/10/16 15:47, Adonay Felipe Nogueira wrote: > Sorry for resurrecting this discussion, but the translation of the > article is ready, and is attached in this email. > > > Respectfully, Adonay. > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev > Thanks for sharing. From nobody at parabola.nu Tue Oct 11 01:12:34 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Tue, 11 Oct 2016 01:12:34 -0000 Subject: [Dev] Orphan Libre package [linux-libre-grsec] marked out-of-date Message-ID: <20161011011234.1008.63304@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * linux-libre-grsec 1:4.7.6_gnu.r201609301918-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec/ * linux-libre-grsec 1:4.7.6_gnu.r201609301918-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec/ * linux-libre-grsec 1:4.7.6_gnu.r201609301918-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec/ * linux-libre-grsec-docs 1:4.7.6_gnu.r201609301918-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.6_gnu.r201609301918-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.6_gnu.r201609301918-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-docs/ * linux-libre-grsec-headers 1:4.7.6_gnu.r201609301918-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.6_gnu.r201609301918-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.6_gnu.r201609301918-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-headers/ The user provided the following additional text: Grsecurity has released a patch for 4.7.7 From nobody at parabola.nu Tue Oct 11 06:27:23 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Tue, 11 Oct 2016 06:27:23 -0000 Subject: [Dev] Orphan Libre package [epiphany] marked out-of-date Message-ID: <20161011062723.1007.89699@parabola.nu> jm.100best at hotmail.com wants to notify you that the following packages may be out-of-date: * epiphany 3.20.3-2.parabola1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/epiphany/ * epiphany 3.20.3-2.parabola1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/epiphany/ * epiphany 3.20.3-2.parabola1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/epiphany/ The user provided the following additional text: GNOME 3.22.0 is out. From adfeno at openmailbox.org Tue Oct 11 12:14:29 2016 From: adfeno at openmailbox.org (Adonay Felipe Nogueira) Date: Tue, 11 Oct 2016 09:14:29 -0300 Subject: [Dev] [News] GNU and Bola comic book titled "IoT" is available in British English language! In-Reply-To: <57FC1B2F.7020808@gmail.com> References: <766de3c9-9210-852a-ee17-0c6cf2489b3f@riseup.net> <1473531162.13575.36.camel@adfeno-VPCEG17FB> <1473593949.19103.8.camel@adfeno-VPCEG17FB> <1476110845.3336.4.camel@adfeno-VPCEG17FB> <57FC1B2F.7020808@gmail.com> Message-ID: <1476188069.3508.0.camel@adfeno-VPCEG17FB> You're welcome! :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: This is a digitally signed message part URL: From fauno at endefensadelsl.org Thu Oct 13 01:06:21 2016 From: fauno at endefensadelsl.org (fauno) Date: Wed, 12 Oct 2016 22:06:21 -0300 Subject: [Dev] Fwd: ghostscript vulnerabilities Message-ID: <87wphdhxbm.fsf@endefensadelsl.org> fyi -- http://utopia.partidopirata.com.ar/ -------------------- Start of forwarded message -------------------- From: ludo at gnu.org (Ludovic Court?s) To: bug-ghostscript at gnu.org, didier at famille-link.fr Subject: Re: ghostscript vulnerabilities Date: Wed, 12 Oct 2016 23:13:54 +0200 Cc: guix-devel at gnu.org, Alex Vong Hello Didier and all, We are wondering about the applicability to GNU?Ghostscript of the recent vulnerabilities discovered in AGPL?Ghostscript: Alex Vong skribis: > Salvatore Bonaccorso writes: > >> ------------------------------------------------------------------------- >> Debian Security Advisory DSA-3691-1 security at debian.org >> https://www.debian.org/security/ Salvatore Bonaccorso >> October 12, 2016 https://www.debian.org/security/faq >> ------------------------------------------------------------------------- >> >> Package : ghostscript >> CVE ID : CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 >> CVE-2016-7979 CVE-2016-8602 >> Debian Bug : 839118 839260 839841 839845 839846 840451 >> >> Several vulnerabilities were discovered in Ghostscript, the GPL >> PostScript/PDF interpreter, which may lead to the execution of arbitrary >> code or information disclosure if a specially crafted Postscript file is >> processed. [...] > I've checked just now. GNU Ghostscript is also affected at least by > CVE-2016-8602. Looking at the patch in this bug report[0] and the > source[1], one can see that the vulnerable lines are present in GNU > Ghostscript. What should we do now? > > [0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840451 > [1]: http://git.savannah.gnu.org/cgit/ghostscript.git/tree/psi/zht2.c WDYT? Perhaps a new release incorporating the fixes is in order? Thanks, Ludo?. -------------------- End of forwarded message -------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 584 bytes Desc: not available URL: From g4jc at openmailbox.org Fri Oct 14 03:30:15 2016 From: g4jc at openmailbox.org (Luke) Date: Thu, 13 Oct 2016 23:30:15 -0400 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: References: <72939cbf-da6f-dca5-74b3-e78ccb8bfd3c@openmailbox.org> <87mvik9ilk.fsf@riseup.net> <1b2e440954bfc0fab6a7fe491e12ef27@openmailbox.org> <87h98rantd.fsf@riseup.net> <87bmyzsu9f.fsf@endefensadelsl.org> Message-ID: <6f1548cc-b2d2-c852-32eb-867c23b867d6@openmailbox.org> On 10/07/2016 10:20 AM, Andr? Silva wrote: > On 10/04/2016 06:02 PM, fauno wrote: >> IMO privacy related changes to packages that don't break things should >> be applied to any package, so +1 to backport them to [libre] and [pcr]! > In my opinion, [nonprism] should be optional since it was created to > remove a lot of services that uses global data surveillance programs > like PRISM [0], XKeyscore [1] and Tempora [2] (eg. Facebook, Twitter, > etc) from our apps (eg. nonprism version of pidgin only works with XMPP > and IRC). I suppose there are users would use those services from our > apps since it is not a GNU FSDG mandatory requirement to remove them. > > Otherwise, iceweasel/icedove nonprism packages have various patches to > increase not just privacy, but yes security too (eg: iceweasel allows > whitelisting/blacklisting domains for purposes of cookies, popups, and > addon notifiers. With those hardening/security features, iceweasel > nonprism version loads, these lists revert to default settings, causing > all user-made changes to be lost [3] and a lot of websites doesn't works > [4]) > > Since it are hardening/security features like Grsecurity for our > Linux-libre kernels, i propose: > > a) Backport **only** privacy features from iceweasel/icedove nonprism > version created from those patches to libre ones to increase privacy but > without break things or services. > > b) Use those hardening/security patches from iceweasel/icedove nonprism > version and push them to new packages called iceweasel-hardening and > icedove-hardening in [libre] as optional way for all users similar than > our kernels (eg. linux-libre and linux-libre-grsec) > > c) Remove nonprism iceweasel/icedove packages in [nonprism] because we > will have iceweasel-hardening and icedove-hardening and otherwise it > will solve this consensus :P > > [0]:https://en.wikipedia.org/wiki/PRISM_(surveillance_program) > [1]:https://en.wikipedia.org/wiki/XKeyscore > [2]:https://en.wikipedia.org/wiki/Tempora > [3]:https://labs.parabola.nu/issues/1113 > [4]:https://labs.parabola.nu/issues/1114 > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev I just noticed that by moving the nonprism edition to to testing it causes pacman to update to libre edition. I additionally noticed that p_roxy settings are wiped and setting a proxy does not work with this version_: _icedove 1:45.4.0.deb1-1_ As it is a possible security vulnerability to those using a proxy, users should be advised of this issue... We also still never determined by consensus how to deal with this issue. I think that /your-privacy/ package should encourage users to use icedove-hardened or nonprism editions. Consensus still needed! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From nobody at parabola.nu Thu Oct 20 08:26:53 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Thu, 20 Oct 2016 08:26:53 -0000 Subject: [Dev] Orphan Libre package [acpi_call] marked out-of-date Message-ID: <20161020082653.1308.54983@parabola.nu> alessi at robertalessi.net wants to notify you that the following packages may be out-of-date: * acpi_call 1.1.0-49.parabola1.basekernel4.7 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/acpi_call/ * acpi_call 1.1.0-49.parabola1.basekernel4.7 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/acpi_call/ * acpi_call 1.1.0-49.parabola1.basekernel4.7 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/acpi_call/ The user provided the following additional text: Hi, The rule 'linux-libre<4.8 (virtual)' prevents linux-libre from being upgraded to 4.8.x. Thanks, -- Robert From nobody at parabola.nu Thu Oct 20 18:43:37 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Thu, 20 Oct 2016 18:43:37 -0000 Subject: [Dev] Orphan Libre package [linux-libre-grsec] marked out-of-date Message-ID: <20161020184337.1307.14367@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * linux-libre-grsec 1:4.7.8_gnu.r201610161720-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec/ * linux-libre-grsec 1:4.7.8_gnu.r201610161720-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec/ * linux-libre-grsec-docs 1:4.7.8_gnu.r201610161720-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.8_gnu.r201610161720-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-docs/ * linux-libre-grsec-headers 1:4.7.8_gnu.r201610161720-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.8_gnu.r201610161720-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-headers/ The user provided the following additional text: Grsecurity has released a patch for 4.7.9 From nobody at parabola.nu Mon Oct 24 01:50:43 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Mon, 24 Oct 2016 01:50:43 -0000 Subject: [Dev] Orphan Libre package [linux-libre] marked out-of-date Message-ID: <20161024015043.1308.15068@parabola.nu> jm.100best at hotmail.com wants to notify you that the following packages may be out-of-date: * linux-libre 4.8.3_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre/ * linux-libre 4.8.3_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre/ * linux-libre 4.8.3_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre/ * linux-libre-docs 4.8.3_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-docs/ * linux-libre-docs 4.8.3_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-docs/ * linux-libre-docs 4.8.3_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-docs/ * linux-libre-headers 4.8.3_gnu-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-headers/ * linux-libre-headers 4.8.3_gnu-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-headers/ * linux-libre-headers 4.8.3_gnu-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-headers/ The user provided the following additional text: linux-libre 4.8.4 From nobody at parabola.nu Mon Oct 24 21:51:07 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Mon, 24 Oct 2016 21:51:07 -0000 Subject: [Dev] Orphan Libre package [linux-libre-grsec] marked out-of-date Message-ID: <20161024215107.1308.83012@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * linux-libre-grsec 1:4.7.9_gnu.r201610200819-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec/ * linux-libre-grsec 1:4.7.9_gnu.r201610200819-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec/ * linux-libre-grsec-docs 1:4.7.9_gnu.r201610200819-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.9_gnu.r201610200819-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-docs/ * linux-libre-grsec-headers 1:4.7.9_gnu.r201610200819-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.9_gnu.r201610200819-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-headers/ The user provided the following additional text: Grsecurity has released a patch for 4.7.10 From nobody at parabola.nu Wed Oct 26 06:28:59 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Wed, 26 Oct 2016 06:28:59 -0000 Subject: [Dev] Orphan Libre package [iceweasel-ublock-origin] marked out-of-date Message-ID: <20161026062859.1308.4194@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * iceweasel-ublock-origin 1.9.12-1 [libre] (any): https://parabolagnulinux.org/packages/libre/any/iceweasel-ublock-origin/ The user provided the following additional text: uBlock Origin 1.9.16 has been released. From alejandrohp at openmailbox.org Wed Oct 26 19:43:28 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Wed, 26 Oct 2016 21:43:28 +0200 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo Message-ID: I have to say that as an user I had no idea about the existence of a 'nonprism' repo. So I think the repo should be available by default to the users. Just the same way 'pcr' should be. ? 'nonprism' repo is the result of the developers' job and it is a great feature for the defense of the user rights. ? On the other hand, it could be two options to deal with 'nonprism' repo: Actually, the 'nonprism' packages version replace the original. Maybe there, is where I could accept that it were not activated by default to replace them. Perhaps it could happen when the package 'your-privacy' were installed: A way for the user to express that they prefer privacy vs features. ? I prefer to use the 'nonprism' versions, and just in case it would be neccessary, like when using 'no-script' 'iceweasel' deactivate it. So, it could exist a way to open a new window of 'iceweasel' with 'nonprism' features deactivated.? Sorry if I'm out of date. Thanks. From alejandrohp at openmailbox.org Wed Oct 26 20:09:11 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Wed, 26 Oct 2016 22:09:11 +0200 Subject: [Dev] [consensus] Quarentena for unsecured unmaintained packages Message-ID: <64586134381c414a13e4ece04a36c27b@openmailbox.org> Bottom line of the [Dev] [consensus][due: 2016-10-20] Quarentena for unsecured unmaintained packages: - Unsecured unmaintained packages should be removed. ? *subject to changes. From g4jc at openmailbox.org Wed Oct 26 22:35:11 2016 From: g4jc at openmailbox.org (Luke) Date: Wed, 26 Oct 2016 18:35:11 -0400 Subject: [Dev] [consensus] Features vs. Privacy in nonprism repo In-Reply-To: References: Message-ID: On 10/26/2016 03:43 PM, Alejandro Hern?ndez wrote: > I have to say that as an user I had no idea about the existence of a > 'nonprism' repo. So I think the repo should be available by default to > the users. Just the same way 'pcr' should be. ? > > 'nonprism' repo is the result of the developers' job and it is a great > feature for the defense of the user rights. ? > > ... > > Sorry if I'm out of date. > Thanks. > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev Thank you for your comments, you're slightly out of date but just in time for a new consensus. :) I will be making a new letter to the mailing list concerning the depth of nonprism and a meta package suggestion. Luke -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From alejandrohp at openmailbox.org Wed Oct 26 23:15:42 2016 From: alejandrohp at openmailbox.org (=?UTF-8?Q?Alejandro_Hern=C3=A1ndez?=) Date: Thu, 27 Oct 2016 01:15:42 +0200 Subject: [Dev] [consensus] Quarentena for unsecured unmaintained packages In-Reply-To: <64586134381c414a13e4ece04a36c27b@openmailbox.org> References: <64586134381c414a13e4ece04a36c27b@openmailbox.org> Message-ID: El 2016-10-26 22:09, Alejandro Hern?ndez escribi?: > Bottom line of the [Dev] [consensus][due: 2016-10-20] Quarentena for > unsecured unmaintained packages: > > - Unsecured unmaintained packages should be removed. ? > > > *subject to changes. > > > > _______________________________________________ > Dev mailing list > Dev at lists.parabola.nu > https://lists.parabola.nu/mailman/listinfo/dev Oh, I've seen a new repo called 'Unmaintained'. So, - Unsecured unmaintained packages should be moved to 'Unmaintained' repo. ? *subject to changes. From g4jc at openmailbox.org Wed Oct 26 23:22:45 2016 From: g4jc at openmailbox.org (Luke) Date: Wed, 26 Oct 2016 19:22:45 -0400 Subject: [Dev] [consensus due 11-11-16] Defining the nonprism repo Message-ID: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> Hello All, Per the last consensus there was the recommendation to keep nonprism "secure", and to split the iceweasel package into two packages to avoid impacting users with less "features".[1] Since your-privacy enforces the iceweasel-nonprism upgrade, many users did not like it. So the package that is built now was renamed to iceweasel-hardened. This causes it to not conflict with iceweasel and hence not bother users any more. Since it is a community package it also ended up in [pcr]. The problem I see with this is, people are using nonprism thinking they are getting the most secure setup - and are not. However, it is still technically in line with the current purpose of nonprism which is "not using insecure/privacy invasive protocols". The nonprism repo's descriptive purpose is not very well defined on our wiki, so there is no statement as to how secure it should be. [2] To fix this issue I propose the following two proposals for consensus, and two questions: 1) Re-define or rename [nonprism] so that it also includes packages for hardened, secure defaults, and less metadata/fingerprinting. 2) Provide a "meta package" that installs your-privacy-*hardened/options* rather than just your-privacy. It can recommend packages, but they will not be mandatory and should not conflict with other software, so that users can comfortably have "iceweasel"(insecure) and "iceweasel-hardened" both voluntarily installed on the same system. 3) Should we just remove iceweasel/icedove-nonprism instead of further complicating things by keeping 3 packages? e.g. icedove/iceweasel (insecure), icedove/iceweasel(nonprism/non-free protocols facebook and crapware removed), and iceweasel/icedove-hardened (which contain actual hardening and some resistance against fingerprinting.) 4) Should iceweasel/icedove-hardened be kept in [pcr] or moved back to [nonprism] when/if nonprism is re-defined to include hardening? Why?: As we now know, PRISM was only a very small portion of global mass surveillance. [3] Even if you are not using privacy invasive protocols/apps, it doesn't really help you at all. Most of the attacks are done from insecure defaults, (such as WebRTC, WebSockets, et. all) and browser fingerprinting.[4] I think it is the expectation of Parabola's privacy repo to provide the most secure/privacy respecting packages, even if that means breaking some features. However, for a reasonable compromise a voluntary meta package seems like the best option. Thanks for your input! Luke 1. https://lists.parabola.nu/pipermail/dev/2016-October/004539.html 2. https://wiki.parabola.nu/Nonprism 3. https://www.privacytools.io/#ukusa 4. https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From emulatorman at riseup.net Thu Oct 27 02:34:46 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Wed, 26 Oct 2016 23:34:46 -0300 Subject: [Dev] [consensus due 11-11-16] Defining the nonprism repo In-Reply-To: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> References: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> Message-ID: <8994bce9-3e0e-84cf-7cfa-c8e03eeaab44@riseup.net> On 10/26/2016 08:22 PM, Luke wrote: > Since your-privacy enforces the iceweasel-nonprism upgrade, many users > did not like it. So the package that is built now was renamed to > iceweasel-hardened. This causes it to not conflict with iceweasel and > hence not bother users any more. Since it is a community package it also > ended up in [pcr]. Those packages were renamed under hardening suffix, not hardened one [0][1] > 1) Re-define or rename [nonprism] so that it also includes packages for > hardened, secure defaults, and less metadata/fingerprinting. +1 I think we should re-define it creating a FSDG-liked article inside nonprism wiki [2] following Snowden docs and put those references too. It will gives a better clarification for all users and Nonprism goal. [0]:https://www.parabola.nu/packages/pcr/x86_64/iceweasel-hardening/ [1]:https://www.parabola.nu/packages/pcr/x86_64/icedove-hardening/ [2]:https://wiki.parabola.nu/Nonprism -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From emulatorman at riseup.net Thu Oct 27 03:15:19 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Thu, 27 Oct 2016 00:15:19 -0300 Subject: [Dev] [consensus due 11-11-16] Defining the nonprism repo In-Reply-To: <8994bce9-3e0e-84cf-7cfa-c8e03eeaab44@riseup.net> References: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> <8994bce9-3e0e-84cf-7cfa-c8e03eeaab44@riseup.net> Message-ID: On 10/26/2016 11:34 PM, Andr? Silva wrote: > On 10/26/2016 08:22 PM, Luke wrote: >> 1) Re-define or rename [nonprism] so that it also includes packages for >> hardened, secure defaults, and less metadata/fingerprinting. > > +1 I think we should re-define it creating a FSDG-liked article inside > nonprism wiki [2] following Snowden docs and put those references too. > It will gives a better clarification for all users and Nonprism goal. > > [0]:https://www.parabola.nu/packages/pcr/x86_64/iceweasel-hardening/ > [1]:https://www.parabola.nu/packages/pcr/x86_64/icedove-hardening/ > [2]:https://wiki.parabola.nu/Nonprism In my opinion, it should remove our current **hardening** packages to include all-features-in-one inside all nonprism packages, more KISS for the Parabola packagers :P Otherwise, Nonprism wiki could contain a reference about opt-out of privacy/security surveillance for nonprism users who wish it in a different/specific article with suggestions (eg. override options in about:config using a user.js file) from Parabola wiki. It could be explained in ice{dove,weasel} install files as a notice to looking for those articles. What do you think guys? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From hahj87 at gmail.com Thu Oct 27 22:28:07 2016 From: hahj87 at gmail.com (Joshua Haase) Date: Thu, 27 Oct 2016 17:28:07 -0500 Subject: [Dev] [consensus due 11-11-16] Defining the nonprism repo In-Reply-To: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> References: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> Message-ID: <878tt9a0lk.fsf@riseup.net> Luke writes: > Hello All, > Per the last consensus there was the recommendation to keep nonprism > "secure", and to split the iceweasel package into two packages to avoid > impacting users with less "features".[1] I would expect [nonprism] would be secure by default, but the repo should be activated as opt-in. > The problem I see with this is, people are using nonprism thinking they > are getting the most secure setup - and are not. However, it is still > technically in line with the current purpose of nonprism which is "not > using insecure/privacy invasive protocols". The nonprism repo's > descriptive purpose is not very well defined on our wiki, so there is no > statement as to how secure it should be. [2] > > To fix this issue I propose the following two proposals for consensus, > and two questions: > > 1) Re-define or rename [nonprism] so that it also includes packages for > hardened, secure defaults, and less metadata/fingerprinting. I agree hardened packages belong here. > 2) Provide a "meta package" that installs > your-privacy-*hardened/options* rather than just your-privacy. It can > recommend packages, but they will not be mandatory and should not > conflict with other software, so that users can comfortably have > "iceweasel"(insecure) and "iceweasel-hardened" both voluntarily > installed on the same system. Can't find any 'your-privacy' package. > 3) Should we just remove iceweasel/icedove-nonprism instead of further > complicating things by keeping 3 packages? > e.g. icedove/iceweasel (insecure), icedove/iceweasel(nonprism/non-free > protocols facebook and crapware removed), and iceweasel/icedove-hardened > (which contain actual hardening and some resistance against fingerprinting.) [libre] iceweasel/icedove (insecure) [nonprism] iceweasel-hardened icedove-hardened Could this be installed side by side? This way users could try running `iceweasel-hardened` and use just `iceweasel` where needed. Or maybe using a `iceweasel` (hardened) and `iceweasel-without-privacy` where needed. A logo and a warning on installation could help make people aware of this options. > 4) Should iceweasel/icedove-hardened be kept in [pcr] or moved back to > [nonprism] when/if nonprism is re-defined to include hardening? I vouch for Yes. > I think it is the expectation of Parabola's privacy repo to provide the > most secure/privacy respecting packages, even if that means breaking > some features. However, for a reasonable compromise a voluntary meta > package seems like the best option. +1 From xihh at riseup.net Thu Oct 27 22:36:08 2016 From: xihh at riseup.net (Joshua Haase) Date: Thu, 27 Oct 2016 17:36:08 -0500 Subject: [Dev] [consensus due 11-11-16] Defining the nonprism repo In-Reply-To: References: <981c94d4-fe6c-85c6-0577-0c3a5307d23c@openmailbox.org> <8994bce9-3e0e-84cf-7cfa-c8e03eeaab44@riseup.net> Message-ID: <87pomll8rr.fsf@riseup.net> Andr? Silva writes: > On 10/26/2016 11:34 PM, Andr? Silva wrote: > In my opinion, it should remove our current **hardening** packages to > include all-features-in-one inside all nonprism packages, more KISS for > the Parabola packagers :P I think this packages which are invasive to users should be opt-in. They should be *visible* nonetheless. Also, I think nonprism should only contain the hardened packages. This would mean less work for parabola packagers and a lesser margin of error for the users. > Otherwise, Nonprism wiki could contain a reference about opt-out of > privacy/security surveillance for nonprism users who wish it in a > different/specific article with suggestions (eg. override options in > about:config using a user.js file) from Parabola wiki. It could be > explained in ice{dove,weasel} install files as a notice to looking for > those articles. What do you think guys? Or we could provide an easy but optional way (with a small added overhead) to temporarily use an insecure way where needed. install files should be a good way to let the users know. From emulatorman at riseup.net Sat Oct 29 15:15:04 2016 From: emulatorman at riseup.net (=?UTF-8?Q?Andr=c3=a9_Silva?=) Date: Sat, 29 Oct 2016 12:15:04 -0300 Subject: [Dev] [consensus] Quarentena for unsecured unmaintained packages In-Reply-To: References: <64586134381c414a13e4ece04a36c27b@openmailbox.org> Message-ID: <517cf173-cb2e-d95f-c8d7-b7525676cda9@riseup.net> On 10/26/2016 08:15 PM, Alejandro Hern?ndez wrote: > El 2016-10-26 22:09, Alejandro Hern?ndez escribi?: >> Bottom line of the [Dev] [consensus][due: 2016-10-20] Quarentena for >> unsecured unmaintained packages: >> >> - Unsecured unmaintained packages should be removed. ? >> >> >> *subject to changes. >> >> >> >> _______________________________________________ >> Dev mailing list >> Dev at lists.parabola.nu >> https://lists.parabola.nu/mailman/listinfo/dev > > Oh, I've seen a new repo called 'Unmaintained'. So, > > - Unsecured unmaintained packages should be moved to 'Unmaintained' repo. ? > > > *subject to changes. IceCat and its dependencies were moved to the unmaintained repo [0][1] since it has been proposed under consensus [2] Otherwise, if you consider there are more packages to be moved to this repo, please give us a list about those unsecured unmaintained packages with references. [0]:https://git.parabola.nu/abslibre.git/commit/?id=e8907fab6658afc6681f1a40e28f058fa87f4575 [1]:https://www.parabola.nu/packages/?sort=-last_update&repo=Unmaintained&q=&maintainer=&flagged= [2]:https://lists.parabola.nu/pipermail/dev/2016-October/004529.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From nobody at parabola.nu Sat Oct 29 19:24:08 2016 From: nobody at parabola.nu (Parabola Website Notification) Date: Sat, 29 Oct 2016 19:24:08 -0000 Subject: [Dev] Orphan Libre package [linux-libre-grsec] marked out-of-date Message-ID: <20161029192408.1307.19647@parabola.nu> jc_gargma at iserlohn-fortress.net wants to notify you that the following packages may be out-of-date: * linux-libre-grsec 1:4.7.10_gnu.r201610222037-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec/ * linux-libre-grsec 1:4.7.10_gnu.r201610222037-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec/ * linux-libre-grsec 1:4.7.10_gnu.r201610222037-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec/ * linux-libre-grsec-docs 1:4.7.10_gnu.r201610222037-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.10_gnu.r201610222037-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-docs/ * linux-libre-grsec-docs 1:4.7.10_gnu.r201610222037-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-docs/ * linux-libre-grsec-headers 1:4.7.10_gnu.r201610222037-1 [libre] (armv7h): https://parabolagnulinux.org/packages/libre/armv7h/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.10_gnu.r201610222037-1 [libre] (i686): https://parabolagnulinux.org/packages/libre/i686/linux-libre-grsec-headers/ * linux-libre-grsec-headers 1:4.7.10_gnu.r201610222037-1 [libre] (x86_64): https://parabolagnulinux.org/packages/libre/x86_64/linux-libre-grsec-headers/ The user provided the following additional text: Grsecurity has released an updated patch for 4.7.10