[aur-requests] [PRQ#12066] Deletion Request for popcorntime
Jean Lucas
jean at 4ray.co
Sat Jul 21 20:46:34 UTC 2018
Agreed on suspicious claims. However, both sides point the finger at
each other, so I read the code.
During build, gulp downloads a custom version of NW.js from
get.popcorntime.sh[1]. I have verified that various binaries in the
upstream and downstream NW.js packages vary in size. I haven't found a
statement by a Popcorn Time organization member saying that they use the
Butter Project's NW.js build script[2], only that a custom version is
used[3]. One might suppose that PT's NW.js is built from BP's script,
but I have not been able to confirm this via checksums, seeing as BP's
CI site[4] is down[5], and NW.js is a very heavy build. Until the CI
site comes back online and we are able to confirm checksum matches, the
get.popcorntime.sh NW.js package should be considered dangerous. A
negative clamscan alone should not be deemed proof that the various
binaries are not malicious.
As for forks/alternatives, its worth noting that Popcorn Time built with
upstream NW.js[6] succeeds and runs, although the internal media player
will not be able to playback a lot of media due to lack of codecs, so
you'd have to use an external media player in many cases. In lieu of the
inconvenience, this seems to be the safest option for now.
[1]:
https://github.com/popcorn-official/popcorn-desktop/blob/development/gulpfile.js#L128
[2]: https://github.com/butterproject/nwjs-build
[3]:
https://github.com/popcorn-official/popcorn-desktop/issues/624#issuecomment-334867531
[4]:
https://github.com/butterproject/butter-desktop/issues/647#issuecomment-303867333
[5]: http://builds.butterproject.org/nw/
[6]:
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=popcorntime-git#n32
On 07/21/2018 09:53 AM, Giovanni Santini (ItachiSan) wrote:
> I would like to point out the following facts:
> The package I do provide is built from source, based on the code hosted here: https://github.com/popcorn-official/popcorn-desktop (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fpopcorn-official%2Fpopcorn-desktop&recipient=amVhbkA0cmF5LmNv)
> You can report found spyware there (can you prove me is there any? A clamscan?)
> On my side, I do have no malware:
> $ clamscan /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-8-x86_64.pkg.tar.xz
> /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-7-x86_64.pkg.tar.xz: OK
> I could approve on redistributed binary builds, but this is not the case, as users build their package theirselves.
>
> The sources you provide are by far more suspicious, as the website you point to redirect to a Git repository which has as homepage an no-existing one.
>
> The claims provided in the link are quite general; there is no actual proof and the link provided by the 'spyware team', which is:
> https://blog.popcorntime.sh/popcorn-time-safety-and-ransomware/ (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/1?redirect=https%3A%2F%2Fblog.popcorntime.sh%2Fpopcorn-time-safety-and-ransomware%2F&recipient=amVhbkA0cmF5LmNv)
> provides by far better description and information.
> To finish up, deleting the package is something I wouldn't like to do; I would be glad to switch to another fork, if you can provide me a good one.
>
> Giovanni SantiniComputer scientist and geek
> giovannisantini93 at yahoo.it (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/2?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=amVhbkA0cmF5LmNv)
> https://giovannisantini.tk (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/3?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=amVhbkA0cmF5LmNv)
>
> On lug 17 2018, at 8:18 am, notify at aur.archlinux.org wrote:
>> flacks [1] filed a deletion request for popcorntime [2]:
>> Package reportedly distributes viruses/spyware https://www.popcorn-
>> time.is/official-statement.html
>>
>> [1] https://aur.archlinux.org/account/flacks/
>> [2] https://aur.archlinux.org/pkgbase/popcorntime/
>>
>
More information about the aur-requests
mailing list