On Tue, Sep 05, 2017 at 05:33:09PM +0200, Levente Polyak wrote:
During last years Chaos Communication Congress I got in touch with anthraxx and shibumi. They introduced me to their security meet up along with jelle and rgacogne. This ended up with me assisting the reviewing of security advisories, and i have now added as a CVE reporter to the team.
I can confirm that this happened, and we are happy to have you around for security stuff.
Thank you for everything!
Now, i'm going to take a look at your AUR... Let the hunt begin *giggle*
D:
archur-git: - VCS package missing provides/conflicts
Fixed!
bmusb: - would me more error prone and convenient to keep pkgver in sync when using a pkgver() function for pinned commits and f.e. do: git describe --always | sed 's/^v//;s/-/./g' - url variable points to a 403 page
Fixed apart from the pkgver(). Not sure about the intention of keeping the pkgver in sync with the commit hash.
buildah-git: - VCS package missing provides/conflicts - license can be changed to 'Apache' as that is already in common licences and points to version 2.0 - clone URL could use TLS via git+https
Fixed!
cryptomator: - cryptomator.sh should use quotes for $PATH as it may contain spaces
Fixed!
cubemap: - VCS package missing provides/conflicts - source name must contain something unique for current tarball like commit hash otherwise it collides with an existing download of a previous version and just fails on checksum matching - fails to build: configure: error: Package requirements (libsystemd) were not met, seems to require it
It's not a VCS package. So a little unsure what you mean with that. Rest was fixed with eschwartz comments. Just forgot to push.
dep-git: - VCS package missing provides/conflicts - clone URL could use TLS via git+https - use quotes for $PATH and $GOPATH as it could contain spaces
Fixed!
dmenu-extended: - VCS package not named dmenu-extended-git, either rename or use a pinned commit (you promised that a year ago in the comments *giggle* :P :D ) - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible
Fixed! Deletion request has been sent to the old package.
jottalib: - uses static string in the source v0.5.1.tar.gz that can be replaced by $pkgver - not an 'any' arch as it builds binary artifacts - seems to contain lot of test cases run by travis, maybe try to include
Fixed. The test cases will have to wait a little as it refers to "python" instead of "python2", along with being hard forked quite recently.
molecule - URL pin-points to 2.0.0.rc12 (which isn't even used anymore) - would me more error prone and convenient to keep pkgver in sync when using a pkgver() function for pinned commits and f.e. do: git describe --always | sed 's/^v//;s/-/./g' - test cases could be run via tox - could build docs like txt and man via sphinx in doc folder - outdated since 20 hours, 2.0.4 release *giggle*
Fixed, apart from the pkgver and this library needs itself installed to generate docs. Need to figure out how this is done.
nageru - 1.6.2 has been released
Upstream dev forgot to update the archive on the page. Bugged him and got it fixed.
protege-distribution: - try to build from source rather then redistribute precompiled binary blobs
Fixed!
nodejs-how2: - could possibly be pulled via TLS https because why not :P - npm install package should forcefully fixup $pkgdir/usr file/dirs as its a non-deterministic race condition bug that upstream still fails to find and fix. It can lead to node_modules dir being world writable and it contains code, f.e. line 26 :
https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packa...
All fixed!
nerd-fonts-git: - VCS package missing provides/conflicts
Fixed!
python-anyconfig: - uses setuptools entrypoint functionality and therefor must hard depend on python{,2}-setuptools instead of just makedepends - you could distribute the LICENSE.MIT file as MIT is not a common included license - you could run tests via tox
Fixed!
python-gilt - package_python2-gilt() must depend on python2 instead of python and python2-giturlparse instead of python-giturlparse - test cases could be run via tox, therefor all py2+3 dependencies should be added to checkdepends and tox be invoked - could build docs like txt and man via sphinx in doc folder
Fixed. The documentation requires gilt installed to be generated. So unsure how that should be done. I have to look closer at this.
python-marshmallow: - test cases could be run via tox, therefor all py2+3 dependencies should be added to checkdepends and tox be invoked - could build docs like txt and man via sphinx in doc folder - you could distribute the LICENSE.MIT file as MIT is not a common - 2.13.6 has been released
sphinx requires a library called "sphinx_issues" for generating the docs. Noted the package on my todo list. Rest has been fixed.
python-vagrant: - test cases could be run - you could distribute the LICENSE.MIT file as MIT is not a common
The testing is sorta peculiar as it requires vagrant and virtualbox(!) to run. Haven't gotten the cases to run after installing them so I have to work a bit more on this.
python-testinfra: - test cases could be run via pytest and included in checkdepends - PBR_VERSION will fail if run with noextract as prepare() is skipped
Fixed the PBR_VERSION issue. But the test cases requires docker to run, so I have to spend some more time to see if it's worth adding the tests to this package.
python2-humanize: - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible - it depends on python while this is a python2 package - test cases and docs can be used if github sources are fetched instead
Fixed!
python-rofi: - should use prefixed source with $pkgname and $pkgver to have a unique file per version and package as it may conflict with a global source dest setup
Fixed!
python-pychromecast: - pkgdesc says "Library for Python 2 and 3 to..." how about including python2 via a split package then? :P - python packages should have a build function as its building binary artifacts via setup.py and named function is needed in the future to make py packages reproducible - maybe include the examples directory in the docs?
Fixed!
xoutputd-git: - VCS package missing provides/conflicts - install mod 655 in bin file, is that on purpose or 755 expected? - makedepends on git missing - you could distribute the LICENSE file as MIT is not a common
Fixed!
tmux-resurrect: - must depend on tmux and bash
Fixed!
texcount: - no need to unzip it yourself, it works pretty well without prepare and via bsdtar
Fixed! Thanks again anthraxx and eschwartz for the comprehensive reviews! -- Morten Linderud PGP: 9C02FF419FECBE16