Agreed on suspicious claims. However, both sides point the finger at each other, so I read the code. During build, gulp downloads a custom version of NW.js from get.popcorntime.sh[1]. I have verified that various binaries in the upstream and downstream NW.js packages vary in size. I haven't found a statement by a Popcorn Time organization member saying that they use the Butter Project's NW.js build script[2], only that a custom version is used[3]. One might suppose that PT's NW.js is built from BP's script, but I have not been able to confirm this via checksums, seeing as BP's CI site[4] is down[5], and NW.js is a very heavy build. Until the CI site comes back online and we are able to confirm checksum matches, the get.popcorntime.sh NW.js package should be considered dangerous. A negative clamscan alone should not be deemed proof that the various binaries are not malicious. As for forks/alternatives, its worth noting that Popcorn Time built with upstream NW.js[6] succeeds and runs, although the internal media player will not be able to playback a lot of media due to lack of codecs, so you'd have to use an external media player in many cases. In lieu of the inconvenience, this seems to be the safest option for now. [1]: https://github.com/popcorn-official/popcorn-desktop/blob/development/gulpfil... [2]: https://github.com/butterproject/nwjs-build [3]: https://github.com/popcorn-official/popcorn-desktop/issues/624#issuecomment-... [4]: https://github.com/butterproject/butter-desktop/issues/647#issuecomment-3038... [5]: http://builds.butterproject.org/nw/ [6]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=popcorntime-git#n32 On 07/21/2018 09:53 AM, Giovanni Santini (ItachiSan) wrote:
I would like to point out the following facts: The package I do provide is built from source, based on the code hosted here: https://github.com/popcorn-official/popcorn-desktop (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fpopcorn-official%2Fpopcorn-desktop&recipient=amVhbkA0cmF5LmNv) You can report found spyware there (can you prove me is there any? A clamscan?) On my side, I do have no malware: $ clamscan /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-8-x86_64.pkg.tar.xz /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-7-x86_64.pkg.tar.xz: OK I could approve on redistributed binary builds, but this is not the case, as users build their package theirselves.
The sources you provide are by far more suspicious, as the website you point to redirect to a Git repository which has as homepage an no-existing one.
The claims provided in the link are quite general; there is no actual proof and the link provided by the 'spyware team', which is: https://blog.popcorntime.sh/popcorn-time-safety-and-ransomware/ (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/1?redirect=https%3A%2F%2Fblog.popcorntime.sh%2Fpopcorn-time-safety-and-ransomware%2F&recipient=amVhbkA0cmF5LmNv) provides by far better description and information. To finish up, deleting the package is something I wouldn't like to do; I would be glad to switch to another fork, if you can provide me a good one.
Giovanni SantiniComputer scientist and geek giovannisantini93@yahoo.it (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/2?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=amVhbkA0cmF5LmNv) https://giovannisantini.tk (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/3?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=amVhbkA0cmF5LmNv)
On lug 17 2018, at 8:18 am, notify@aur.archlinux.org wrote:
flacks [1] filed a deletion request for popcorntime [2]: Package reportedly distributes viruses/spyware https://www.popcorn- time.is/official-statement.html
[1] https://aur.archlinux.org/account/flacks/ [2] https://aur.archlinux.org/pkgbase/popcorntime/