[aur-requests] [PRQ#12066] Deletion Request for popcorntime

[Giovanni Santini (ItachiSan)]

Hi Jean,

Thank you for the analysis; it was really detailed and extensive.
The only issue then is the prebuild nw.js binary build provided from the PopcornTime team, as we can't guarantee malware absence from it.
So, as you suggested, I will substitute the binary with the official one (from the nw.js project).

I also found on the AUR this package:
https://aur.archlinux.org/packages/nwjs-ffmpeg-codecs-bin/ (https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Faur.archlinux.org%2Fpackages%2Fnwjs-ffmpeg-codecs-bin%2F&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D)
It should provide the necessary library for viewing multiple video formats.
Can it be considered safe (as it is as a binary) or should I create a from scratch package?

Thanks in advance,
Giovanni SantiniComputer scientist and geek
giovannisantini93 at yahoo.it (https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/1?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D)
https://giovannisantini.tk (https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/2?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D)

On lug 21 2018, at 10:46 pm, Jean Lucas <jean at 4ray.co> wrote:
>
> Agreed on suspicious claims. However, both sides point the finger at
> each other, so I read the code.
>
> During build, gulp downloads a custom version of NW.js from
> get.popcorntime.sh[1]. I have verified that various binaries in the
> upstream and downstream NW.js packages vary in size. I haven't found a
> statement by a Popcorn Time organization member saying that they use the
> Butter Project's NW.js build script[2], only that a custom version is
> used[3]. One might suppose that PT's NW.js is built from BP's script,
> but I have not been able to confirm this via checksums, seeing as BP's
> CI site[4] is down[5], and NW.js is a very heavy build. Until the CI
> site comes back online and we are able to confirm checksum matches, the
> get.popcorntime.sh NW.js package should be considered dangerous. A
> negative clamscan alone should not be deemed proof that the various
> binaries are not malicious.
>
> As for forks/alternatives, its worth noting that Popcorn Time built with
> upstream NW.js[6] succeeds and runs, although the internal media player
> will not be able to playback a lot of media due to lack of codecs, so
> you'd have to use an external media player in many cases. In lieu of the
> inconvenience, this seems to be the safest option for now.
>
> [1]:
> https://github.com/popcorn-official/popcorn-desktop/blob/development/gulpfile.js#L128
>
> [2]: https://github.com/butterproject/nwjs-build
> [3]:
> https://github.com/popcorn-official/popcorn-desktop/issues/624#issuecomment-334867531
>
> [4]:
> https://github.com/butterproject/butter-desktop/issues/647#issuecomment-303867333
>
> [5]: http://builds.butterproject.org/nw/
> [6]:
> https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=popcorntime-git#n32
>
>
> On 07/21/2018 09:53 AM, Giovanni Santini (ItachiSan) wrote:
> > I would like to point out the following facts:
> > The package I do provide is built from source, based on the code hosted here: https://github.com/popcorn-official/popcorn-desktop (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fpopcorn-official%2Fpopcorn-desktop&recipient=amVhbkA0cmF5LmNv)
> > You can report found spyware there (can you prove me is there any? A clamscan?)
> > On my side, I do have no malware:
> > $ clamscan /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-8-x86_64.pkg.tar.xz
> > /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-7-x86_64.pkg.tar.xz: OK
> > I could approve on redistributed binary builds, but this is not the case, as users build their package theirselves.
> >
> > The sources you provide are by far more suspicious, as the website you point to redirect to a Git repository which has as homepage an no-existing one.
> > The claims provided in the link are quite general; there is no actual proof and the link provided by the 'spyware team', which is:
> > https://blog.popcorntime.sh/popcorn-time-safety-and-ransomware/ (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/1?redirect=https%3A%2F%2Fblog.popcorntime.sh%2Fpopcorn-time-safety-and-ransomware%2F&recipient=amVhbkA0cmF5LmNv)
> > provides by far better description and information.
> > To finish up, deleting the package is something I wouldn't like to do; I would be glad to switch to another fork, if you can provide me a good one.
> >
> > Giovanni SantiniComputer scientist and geek
> > giovannisantini93 at yahoo.it (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/2?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=amVhbkA0cmF5LmNv)
> > https://giovannisantini.tk (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/3?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=amVhbkA0cmF5LmNv)
> >
> > On lug 17 2018, at 8:18 am, notify at aur.archlinux.org wrote:
> > > flacks [1] filed a deletion request for popcorntime [2]:
> > > Package reportedly distributes viruses/spyware https://www.popcorn-
> > > time.is/official-statement.html
> > >
> > > [1] https://aur.archlinux.org/account/flacks/
> > > [2] https://aur.archlinux.org/pkgbase/popcorntime/
> >
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.archlinux.org/pipermail/aur-requests/attachments/20180722/dc7ca8cd/attachment.html>