Hi,
As much as I like arj, and the fond memories of installing games from floppy disks as a kid, the package in its current form has some problems:
https://bugs.archlinux.org/task/44411 https://bugs.archlinux.org/task/44488
As noted by Christian Rebischke and Remi Gacogne in these bug reports, arj has several vulnerability issues and is not likely to be fixed by upstream anytime soon.
Moving to AUR.
--- Best regards, Alexander F Rødseth / xyproto
On 04/22/2015 03:25 PM, Alexander F Rødseth wrote:
Hi,
As much as I like arj, and the fond memories of installing games from floppy disks as a kid, the package in its current form has some problems:
https://bugs.archlinux.org/task/44411 https://bugs.archlinux.org/task/44488
As noted by Christian Rebischke and Remi Gacogne in these bug reports, arj has several vulnerability issues and is not likely to be fixed by upstream anytime soon.
Moving to AUR.
I've picked up arj from the AUR and will clean it up now. This includes adding patches for the mentioned security issues (which are also used by fedora, debian and others). After a short discussion round in the IRC we considered that it may get moved back to community at some point (I would also maintain it then).
The updated AUR package will be pushed in aprox. 1-2h, I'm still doing some tests before pushing the new PKGBUILD.
cheers Levente
I can also add that:
* Few packages has the combination of not building + upstream being dead + having security vulnerabilities + little usage by other packages (only two official packages had arj listed as an optional dependency). * While the package statistics shows a relatively high installation rate, these statistics are old. I don't think packaging arj archives is as relevant today as for a couple of years ago. * unarj 2.63a-4 is in [community], so the capability of extracting arj archives is still offered by an official package. * It's only moved to AUR, not removed forever. Users can still install arj, and the possibility of it being moved back to [community] one day is still present.
When that's said, I believe Levente Polyak will be an excellent package maintainer for the arj package, wether it remains in AUR or is moved back to [community]. It's an open call.
On 04/23/2015 11:17 AM, Alexander F Rødseth wrote:
I can also add that:
- Few packages has the combination of not building + upstream being dead +
having security vulnerabilities + little usage by other packages (only two official packages had arj listed as an optional dependency).
- While the package statistics shows a relatively high installation rate,
these statistics are old. I don't think packaging arj archives is as relevant today as for a couple of years ago.
- unarj 2.63a-4 is in [community], so the capability of extracting arj
archives is still offered by an official package.
- It's only moved to AUR, not removed forever. Users can still install arj,
and the possibility of it being moved back to [community] one day is still present.
When that's said, I believe Levente Polyak will be an excellent package maintainer for the arj package, wether it remains in AUR or is moved back to [community]. It's an open call.
-- Best regards, Alexander F Rødseth / xyproto
Thank you Alexander to provide this information to the mailing list so people better understand the reason behind your move.
I already did some work on the AUR package and fixed the building problem (related to old automake) as well as added patches to the mentioned security issues (and verified them with proof-of-concept archives and test-cases). ARJ users should feel free to try out the new version from AUR.
cheers Levente
On Thu, 23 Apr 2015 12:03:42 +0200, Levente Polyak wrote:
ARJ users should feel free to try out the new version from AUR.
It at least builds without issues:
[rocketmouse@archlinux ~]$ grep arj /var/log/pacman.log [snip] [2015-04-23 10:46] [ALPM] upgraded arj (3.10.22-8 -> 3.10.22-10)
aur-general@lists.archlinux.org