<div>Hi Jean,</div><br><div>Thank you for the analysis; it was really detailed and extensive.</div><div>The only issue then is the prebuild <em>nw.js</em> binary build provided from the PopcornTime team, as we can't guarantee malware absence from it.</div><div>So, as you suggested, I will substitute the binary with the official one (from the <em>nw.js</em> project).</div><br><div>I also found on the AUR this package:</div><div><a href="https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Faur.archlinux.org%2Fpackages%2Fnwjs-ffmpeg-codecs-bin%2F&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D" title="https://aur.archlinux.org/packages/nwjs-ffmpeg-codecs-bin/">https://aur.archlinux.org/packages/nwjs-ffmpeg-codecs-bin/</a></div><div>It should provide the necessary library for viewing multiple video formats.</div><div>Can it be considered safe (as it is as a binary) or should I create a <em>from scratch</em> package?</div><br><div>Thanks in advance,</div><br><div><signature id="local-df9a55bf-27c2"><table cellpadding="0" cellspacing="0"><tbody><tr><td style="vertical-align:top"><img alt="" src="https://www.gravatar.com/avatar/ed53545a1115cf64d1b672d61961cb58/?s=160&msw=160&msh=160" width="130" height="130" style="max-width:200px;max-height:130px;margin-right:20px"></td><td><div><strong>Giovanni Santini</strong><span style="color:red;padding-left:15px">Computer scientist and geek</span></div><div style="font-size:0.9em;min-width:200px;max-width:400px;margin-top:4px;padding-top:4px"><div><div><a style="color:red" href="https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/1?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D">giovannisantini93@yahoo.it</a></div><div></div><div><a style="color:red" href="https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/2?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D">https://giovannisantini.tk</a></div><div><a href="https://link.getmailspring.com/link/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com/3?redirect=https%3A%2F%2Ftwitter.com%2Fsantini__gio&recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D" title="Twitter" style="margin-right:8px;color:red"><img src="data:image/gif;base64,R0lGODlhGgAaALMAAACr7oDS8iK17cHp+FXC7ZbZ89vy+hKu7Tm77vD5/K3h9YjV8l3H8Mzs+bjl9v///yH5BAEHAA8ALAAAAAAaABoAAASl8MlJq7046/0aQURDJZLBBQKgCstjLIp7OBqj3isgPImixhcHbngoBAY+FYNUIQyfsQauyJQgnrfDYJKaMhSNxBULQFAM3eeBrDJLFAQnm02YSOfzAGWMx24nBmt9QzsVBgyCgwB6FQ4MaX0HVRMJiYMtFw2Wc24YCQEIm4STGAWiNwImGQ0LkE8IqhatkQUbA6CiAgQKpBk9DAgCuguxHMbHyBkRADs=" width="13" height="13" alt="Twitter"></a></div></div></div></td></tr></tbody></table></signature></div><div class="gmail_quote_attribution">On lug 21 2018, at 10:46 pm, Jean Lucas <jean@4ray.co> wrote:</div><blockquote><br><div><div>Agreed on suspicious claims. However, both sides point the finger at</div><div>each other, so I read the code.</div><br><div>During build, gulp downloads a custom version of NW.js from</div><div>get.popcorntime.sh[1]. I have verified that various binaries in the</div><div>upstream and downstream NW.js packages vary in size. I haven't found a</div><div>statement by a Popcorn Time organization member saying that they use the</div><div>Butter Project's NW.js build script[2], only that a custom version is</div><div>used[3]. One might suppose that PT's NW.js is built from BP's script,</div><div>but I have not been able to confirm this via checksums, seeing as BP's</div><div>CI site[4] is down[5], and NW.js is a very heavy build. Until the CI</div><div>site comes back online and we are able to confirm checksum matches, the</div><div>get.popcorntime.sh NW.js package should be considered dangerous. A</div><div>negative clamscan alone should not be deemed proof that the various</div><div>binaries are not malicious.</div><br><div>As for forks/alternatives, its worth noting that Popcorn Time built with</div><div>upstream NW.js[6] succeeds and runs, although the internal media player</div><div>will not be able to playback a lot of media due to lack of codecs, so</div><div>you'd have to use an external media player in many cases. In lieu of the</div><div>inconvenience, this seems to be the safest option for now.</div><br><div>[1]:</div><div>https://github.com/popcorn-official/popcorn-desktop/blob/development/gulpfile.js#L128</div><br><div>[2]: https://github.com/butterproject/nwjs-build</div><br><div>[3]:</div><div>https://github.com/popcorn-official/popcorn-desktop/issues/624#issuecomment-334867531</div><br><div>[4]:</div><div>https://github.com/butterproject/butter-desktop/issues/647#issuecomment-303867333</div><br><div>[5]: http://builds.butterproject.org/nw/</div><br><div>[6]:</div><div>https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=popcorntime-git#n32</div><br><br><div>On 07/21/2018 09:53 AM, Giovanni Santini (ItachiSan) wrote:</div><blockquote><div>I would like to point out the following facts:</div><div>The package I do provide is built from source, based on the code hosted here: https://github.com/popcorn-official/popcorn-desktop (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fpopcorn-official%2Fpopcorn-desktop&recipient=amVhbkA0cmF5LmNv)</div><div>You can report found spyware there (can you prove me is there any? A clamscan?)</div><div>On my side, I do have no malware:</div><div>$ clamscan /mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-8-x86_64.pkg.tar.xz</div><div>/mnt/build/archlinux/chroots/bauerbill/popcorntime/popcorntime-0.3.10-7-x86_64.pkg.tar.xz: OK</div><div>I could approve on redistributed binary builds, but this is not the case, as users build their package theirselves.</div><br><div>The sources you provide are by far more suspicious, as the website you point to redirect to a Git repository which has as homepage an no-existing one.</div><br><div>The claims provided in the link are quite general; there is no actual proof and the link provided by the 'spyware team', which is:</div><div>https://blog.popcorntime.sh/popcorn-time-safety-and-ransomware/ (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/1?redirect=https%3A%2F%2Fblog.popcorntime.sh%2Fpopcorn-time-safety-and-ransomware%2F&recipient=amVhbkA0cmF5LmNv)</div><div>provides by far better description and information.</div><div>To finish up, deleting the package is something I wouldn't like to do; I would be glad to switch to another fork, if you can provide me a good one.</div><br><div>Giovanni SantiniComputer scientist and geek</div><div>giovannisantini93@yahoo.it (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/2?redirect=mailto%3Agiovannisantini93%40yahoo.it&recipient=amVhbkA0cmF5LmNv)</div><div>https://giovannisantini.tk (https://link.getmailspring.com/link/1532179678.local-251a76dc-d25e-v1.3.0-fd741eb7@getmailspring.com/3?redirect=%20https%3A%2F%2Fgiovannisantini.tk&recipient=amVhbkA0cmF5LmNv)</div><br><div>On lug 17 2018, at 8:18 am, notify@aur.archlinux.org wrote:</div><blockquote><div>flacks [1] filed a deletion request for popcorntime [2]:</div><div>Package reportedly distributes viruses/spyware https://www.popcorn-</div><div>time.is/official-statement.html</div><br><div>[1] https://aur.archlinux.org/account/flacks/</div><div>[2] https://aur.archlinux.org/pkgbase/popcorntime/</div></blockquote></blockquote></div></blockquote><img class="mailspring-open" alt="Open Tracking" width="0" height="0" style="border:0; width:0; height:0;" src="https://link.getmailspring.com/open/1532263255.local-8b55aff9-0fcb-v1.3.0-fd741eb7@getmailspring.com?recipient=YXVyLXJlcXVlc3RzQGFyY2hsaW51eC5vcmc%3D">