Re: [aur-general] acroread package compromised
On 07/09/2018 04:37 PM, Giancarlo Razzolini via aur-general wrote: > Hi Bennet, > > This would be a warning for what exactly? That orphaned packages can > be adopted by anyone? That we have a big bold disclaimer on the front > page of the AUR clearly stating that you should use any content at > your own risk? No, that people should check what they install. A script that creates `compromised.txt` in the root and all home folders looks like a warning to me. I agree with you and Ben Oliver, people should expect this. I wasn't saying that I was surprised about it. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] acroread package compromised
On 07/08/2018 05:00 PM, Eli Schwartz via aur-general wrote: > Side note on the acroread pastes: https://ptpb.pw/~x was executed by the > PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it > installed declares an upload() function then tries to execute the > contents of $uploader to actually upload the data collection. > > So it basically wouldn't work as-is anyway. for x in /root /home/*; do if [[ -w "$x/compromised.txt" ]]; then echo "$FULL_LOG" > "$x/compromised.txt" fi done Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract? -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Moving xss-lock to community
On 01/18/2018 09:37 PM, Alad Wenter via aur-general wrote: > See the bug report I linked in the first reply. > > https://bitbucket.org/raymonad/xss-lock/issues/17/does-not-report-activity-to-systemd-logind Right, that is actually something else than what I did. I used `xset s` to trigger on inactivity, and xss-lock correctly locks the screen when that happens. So it seems like it can still be used as a replacement for xautolock. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Moving xss-lock to community
On 01/18/2018 09:25 PM, Alad Wenter via aur-general wrote: > On Thu, Jan 18, 2018 at 09:24:04PM +0100, Bennett Piater wrote: > Except, as noted, that "major feature" doesn't work at all... Doesn't it? It appeared to work when I tried it, and that was this morning... Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Moving xss-lock to community
This doesn't take care of locking on inactivity though, which is the other major feature of xss-lock. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
Re: [aur-general] TU application for Eli Schwartz
> Hmm, the meticulous reviewer of TU candidates now applies for TU... I'm > unsure if this will result in either > > * the singularity, > * an infinite energy source, > > or, - shivers down my spine - > > * Allan no longer breaking things. > > However that may be, you've submitted a model application and I think you'd > make a great addition to the team. I expect an infinite recursion of himself reviewing his own PKGBUILDs ;) Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Could someone please bring back the skypeforlinux-beta-bin package?
> In this situation you should bump the pkgrel and push it. This would > "create" > the package again in the AUR. > > We don't actually delete the repositories, they are always there. Or, ssh aur.archlinux.org restore $pkgbase Even better because you don't need to touch the pkgrel. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
[aur-general] aursec - blockchain-based verification of AUR packages
Hello, we are pleased to announce the release of aursec [0], a tool which aims to improve the security of using the AUR. We are writing it as part of our Bachelor's thesis. It provides a secure hash database in a private Ethereum blockchain that stores hashes for specific package versions. The hash that was submitted from the most different users becomes the consensus and can be queried and compared against. The hash is formed from the PKGBUILD, install files and VCS sources, thereby adding a layer of verification on top of that provided by the hashes in the PKGBUILD. The threat model [1] we defend against is targeted attacks against specific AUR users, e.g. using a hostile takeover and subsequent modification of an orphan package, that would be reverted and therefore likely not noticed. If the target used aursec, he would see that his package has a different hash from what other users got. Aursec takes a build folder containing a PKGBUILD and .SRCINFO and does all the work automatically. It calls makepkg --verifysrc in a firejail sandbox to download VCS sources and find out the current version. Example use: $aursec ~/aur/foo $find -type d ~/aur | aursec We would greatly appreciate feedback on the threat model, solution, and the usability of the tool itself. Cheers, Bennett Piater and Lukas Krismer [0]: https://aur.archlinux.org/packages/aursec [1]: https://vps1.piater.name/file-sharing/r/_q35eP3Y89#wqDp8+hB9C22GdKrH4nD/HP1CP3NfKQm0V1YuZih+28= -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] LaTeX compilation error in makepkg
> I believe this is your issue: > https://github.com/matze/mtheme/issues/217 Thanks a bunch, now I finally understand that weird problem! :) I hate not understanding something ;) > For the record, this theme is already included in texlive-latexextra > present in the repo (but obviously at version 1.1 though), and > that’s the reason why it was deleted: > https://lists.archlinux.org/pipermail/aur-requests/2016-October/013975.html > > So, I’m gonna have to delete once again, since I think our policy is > to not invade the AUR with each CTAN package already in TeX Live, > even if obviously the CTAN version is more recent than the one in TeX > Live. I completely missed that, so no worries. Thanks for your help! :) > If you want to use your PKGBUILD locally, just add -j1 in the make > command of the PKGBUILD. ;) > > Cheers, Bruno Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] LaTeX compilation error in makepkg
Well yeah, I'm building in a clean chroot using the devtools (mkarchchroot + makechrootpkg)... :/ My PKGBUILD looks almost exactly like what you did, yes. Pasted here: https://vps1.piater.name/commie/#xWcSmoLX I'm frankly stunned... On 02/09/2017 08:29 PM, Vanush "Misha" Paturyan via aur-general wrote: > > > I've tried to build beamer-theme-metropois in a "clean" Docker > container with minimal set of packages, and I cannot reproduce your > error: beamer-theme-metropolis builds and installs perfectly (I > haven't tried using it though). > > As you haven't provided PKGBUILD file I'm only guessing what changes > you have made to it to make it work. Apart from changing "pkgver" and > "sha5sums" variables I also had to modify "depends" array. I'm > attaching the diff below: > > Are you building in a "clean" environment? > > --- > PKGBUILD | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/PKGBUILD b/PKGBUILD > index c693213..099ccfe 100644 > --- a/PKGBUILD > +++ b/PKGBUILD > @@ -1,15 +1,15 @@ > # Maintainer: Bennett Piater > pkgname=beamer-theme-metropolis > -pkgver=1.1 > +pkgver=1.2 > pkgrel=1 > pkgdesc="A modern LaTeX Beamer theme" > url="https://github.com/matze/mtheme; > arch=("any") > license=("custom:cc-by-sa-4.0") > -depends=("texlive-core" "texlive-pictures" "otf-fira-fonts") > +depends=("texlive-core" "texlive-pictures" "texlive-latexextra" > "otf-fira-mono" "otf-fira-sans") > source=("https://github.com/matze/mtheme/archive/v${pkgver}.tar.gz;) > install=metropolis-theme.install > -sha512sums=('36eb3778e0acf75539e2d8d930ebc81202a4a6648d485963010459f25424a334c4bdf5d10f9619415908564faa282f726913ba3eba8a498f0ec9e286181540d2') > +sha512sums=('61e921a425f16b3fd12961533a5e2ec790d7d80e06d98a837156693082dd8254dfb9840498ce8e561924fb8c5241e9934e9cb1e7b7f1f8caef3cbd8edfae4af7') > > build() { > # Generate the style files. > -- > 2.11.0 > > > --- > Vanush "Misha" Paturyan > Senior Technical Officer > Room 120 > Computer Science Department > EOLAS Building > Maynooth University > Maynooth > > > > > -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] LaTeX compilation error in makepkg
On 02/09/2017 05:50 PM, Connor Behan via aur-general wrote: > The problem is permissions. I think "make" and "makepkg" would only give > different results if you executed them as different users. I'm executing them as the same user, though. -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
[aur-general] LaTeX compilation error in makepkg
Hi, I resurrected beamer-theme-metropolis when aurphan showed me that it's maintainer had orphaned it because I use it quite a lot. The upstream was recently updated, but I cannot get it to compile from makepkg -- the latex compiler complains that it cannot write to it's log file. I didn't change the PKGBUILD besides updating the version and dependencies. Output: https://vps1.piater.name/commie/#5O9xSO3P Everything works if I cd into $srcdir/$pkgname-$pkgver and execute make from the shell. Does anyone have an idea what the problem might be? Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Upstream version numbers that break pacman version comparison
> The "8.5.pl3-1" would have been a very standard way of solving this, > and the suggested more plain "8.5.3-1" is fine as well. Right, I somehow didn't think of "8.5.pl3-1", that is much better :) I still don't really like "8.5.3-1" though, it's closer to being confusingly different from what upstream uses. -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] Upstream version numbers that break pacman version comparison
On 11/22/2016 08:58 AM, brent timothy saner via aur-general wrote: > what i'd recommend is instead use 8.5 -> 8.5.1 -> 8.5.2 > > and then have a _pkgver= variable with the actual string, if it's needed > later in the build. i.e.: I don't like this because it prevents users from seeing which version they installed with pacman -Qi. Many will want to be able to look up their version online, e.g. for changelogs or security advisories. It's ugly, but I guess bumping epoch is the only solution here. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] My first PKGBUILD
> I feel renaming files is counter to AL policy of keeping pacakges as > close to upstream as possible. > Also some licenses exrpesslly forbid changing filenames. > please keep upstream names. > > Check other java packages like freecol, they use /usr/share/java/$pkgname . > > LW Thanks a lot, I changed both of that :) Herzlich, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] My first PKGBUILD
On 06/12/2016 02:26 PM, mar...@marcin.co wrote: > Hi > I think you should use pkgver in source url. > Also, why would you copy libs to opt? > License is usually named just LICENSE > Is that the third package release? Or first? Thanks! I used $pkgver in the source url, renamed upstreams license.txt to LICENSE, and reset $pkgrel (It was my third local version). I copy libs to opt because this is a java program that expects it's stuff to be in the same directory. Those libs are not shared anyways, they are specific to this program. Do you have a better idea? :) Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature
Re: [aur-general] My first PKGBUILD
> I am now considering maintaining it in the AUR. If someone has time, I > would like to get some feedback for my PKGBUILD before I publish it. I guess I should attach it :D Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 # Maintainer: Bennett Piater pkgname='battlescribe' pkgver='1.15.07' pkgrel=3 pkgdesc="An army list builder for table-top games." arch=(any) url="http://battlescribe.net/; license=('custom') depends=('java-environment' 'bash') source=('http://files.battlescribe.net/BattleScribe_1.15.07_Multi.zip' "$pkgname.desktop" "$pkgname.png" 'BattleScribe.sh') md5sums=('1104d01254a217e0472b13fbb7af612f' 'c971a70893a6960006d290a15a44af48' 'd0fef06c5b080003f84a0e148fbe9261' 'c344ad9eddc6d1a13249c4a238826c1d') package() { cd "$srcdir" # Copy files to system install -D -t "$pkgdir/opt/$pkgname/" *.sh *.jar mv lib "$pkgdir/opt/$pkgname/" # Copy the licence install -Dm644 -t "$pkgdir/usr/share/licenses/battlescribe/" license.txt # Copy the desktop file and image install -Dm644 -t "$pkgdir/usr/share/applications/" *.desktop install -Dm644 "$pkgname.png" "$pkgdir/usr/share/pixmaps/$pkgname.png" } signature.asc Description: OpenPGP digital signature
[aur-general] My first PKGBUILD
Hi, I've been using Arch for a while and recently stumbled upon a program that isn't available in the AUR. I took the opportunity to learn about creating packages so I could have it managed by pacman. I am now considering maintaining it in the AUR. If someone has time, I would like to get some feedback for my PKGBUILD before I publish it. Cheers, Bennett -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808 signature.asc Description: OpenPGP digital signature