[aur-requests] [PRQ#12066] Deletion Request for popcorntime

Jean Lucas jean at 4ray.co
Sat Jul 21 20:46:34 UTC 2018

Agreed on suspicious claims. However, both sides point the finger at 
each other, so I read the code.

During build, gulp downloads a custom version of NW.js from 
get.popcorntime.sh[1]. I have verified that various binaries in the 
upstream and downstream NW.js packages vary in size. I haven't found a 
statement by a Popcorn Time organization member saying that they use the 
Butter Project's NW.js build script[2], only that a custom version is 
used[3]. One might suppose that PT's NW.js is built from BP's script, 
but I have not been able to confirm this via checksums, seeing as BP's 
CI site[4] is down[5], and NW.js is a very heavy build. Until the CI 
site comes back online and we are able to confirm checksum matches, the 
get.popcorntime.sh NW.js package should be considered dangerous. A 
negative clamscan alone should not be deemed proof that the various 
binaries are not malicious.

As for forks/alternatives, its worth noting that Popcorn Time built with 
upstream NW.js[6] succeeds and runs, although the internal media player 
will not be able to playback a lot of media due to lack of codecs, so 
you'd have to use an external media player in many cases. In lieu of the 
inconvenience, this seems to be the safest option for now.


[2]: https://github.com/butterproject/nwjs-build



[5]: http://builds.butterproject.org/nw/


On 07/21/2018 09:53 AM, Giovanni Santini (ItachiSan) wrote:
> I would like to point out the following facts:
> The package I do provide is built from source, based on the code hosted here: https://github.com/popcorn-official/popcorn-desktop (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fpopcorn-official%2Fpopcorn-desktop&recipient=amVhbkA0cmF5LmNv)
> You can report found spyware there (can you prove me is there any? A clamscan?)
> On my side, I do have no malware:
> $ clamscan /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-8-x86_64.pkg.tar.xz
> /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-7-x86_64.pkg.tar.xz: OK
> I could approve on redistributed binary builds, but this is not the case, as users build their package theirselves.
> The sources you provide are by far more suspicious, as the website you point to redirect to a Git repository which has as homepage an no-existing one.
> The claims provided in the link are quite general; there is no actual proof and the link provided by the 'spyware team', which is:
> https://blog.popcorntime.sh/popcorn-time-safety-and-ransomware/ (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/1?redirect=https%3A%2F%2Fblog.popcorntime.sh%2Fpopcorn-time-safety-and-ransomware%2F&recipient=amVhbkA0cmF5LmNv)
> provides by far better description and information.
> To finish up, deleting the package is something I wouldn't like to do; I would be glad to switch to another fork, if you can provide me a good one.
> Giovanni SantiniComputer scientist and geek
> giovannisantini93 at yahoo.it (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/2?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=amVhbkA0cmF5LmNv)
> https://giovannisantini.tk (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/3?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=amVhbkA0cmF5LmNv)
> On lug 17 2018, at 8:18 am, notify at aur.archlinux.org wrote:
>> flacks [1] filed a deletion request for popcorntime [2]:
>> Package reportedly distributes viruses/spyware https://www.popcorn-
>> time.is/official-statement.html
>> [1] https://aur.archlinux.org/account/flacks/
>> [2] https://aur.archlinux.org/pkgbase/popcorntime/

More information about the aur-requests mailing list