packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon getsolus

Packages with insecure `http` or dead link as homepage

Open malfisya opened this issue 1 year ago • 12 comments

There are packages in our repository that is not using https in homepage and source keys. We need to fix it.

You can also check the list of packages with http homepage yourself using rg:

# Go to your local clone of packages repository
rg --files-with-matches "homepage\s*:\s*http:" -g '*package.yml'

Guidance on fixing

  • Refer to our help site if you are new to packaging and need to set up your system: https://help.getsol.us/docs/packaging/prepare-for-packaging
  • homepage goes after source, see https://help.getsol.us/docs/packaging/package.yml. Some existing package.yml will have homepage in other places; don't worry about that
  • If the homepage uses http replace it with https, make sure the https homepage works
  • If an appropriate website exists for the package then that may be used
  • If the package does not have the appropriate website, it should be replaced with the upstream git repository link.
    • Example: the homepage for four-in-a-row should be moved to https://gitlab.gnome.org/GNOME/four-in-a-row from https://wiki.gnome.org/Apps/Four-in-a-row as no other website exists.
  • BONUS POINT Make sure that the source key is not http
  • After you have replaced the homepage, rebuild the package. This checks that the homepage was added correctly.
  • One Pull Request for each package
  • If you would like to fix many packages you can pick a letter and fix packages starting with that letter

List

  • 192 packages
  • https://gist.github.com/malfisya/ffec312263d1dca259af75ac36a874ef

malfisya avatar Apr 26 '25 03:04 malfisya

Three packages will be missed by the provided ripgrep command.

packages/c/comar/package.yml packages/c/ctags/package.yml packages/l/libdaemon/package.yml

This will catch them:

rg --files-with-matches "homepage\s*:\s*http:" -g '*package.yml'

HarveyDevel avatar May 01 '25 05:05 HarveyDevel

Three packages will be missed by the provided ripgrep command.

packages/c/comar/package.yml packages/c/ctags/package.yml packages/l/libdaemon/package.yml

This will catch them:

rg --files-with-matches "homepage\s*:\s*http:" -g '*package.yml'

I wonder if ripgrep should be added to the "Installing development tools" page?

Chris

chrisdebian avatar Oct 16 '25 17:10 chrisdebian

I wonder if ripgrep should be added to the "Installing development tools" page?

I don't think so. ripgrep is not necessarily needed for the packaging process. It is a good tool to know and learn. All the packages mentioned in the page are strictly related to the tooling (eopkg, solbuild , ypkg and various scripts) that we have.

malfisya avatar Oct 18 '25 11:10 malfisya

Ok, I guess people reading this thread, in the future, will just have to Google 'rg' and install it, like I did.

Chris

chrisdebian avatar Oct 18 '25 12:10 chrisdebian

Just in case we can get any quick wins, I exported the list of packages that needed fixing, extracted the email addresses of the maintainers, removed any duplicates, and dropped them a quick (Bcc) email. @nelsontkq , just wondering if the dotnet-cli package is one of yours, as it may be missing maintainer information, according to the information from Repology:

Image

Thanks,

Chris.

chrisdebian avatar Oct 18 '25 18:10 chrisdebian

That was an intermediary package used when I split the package to latest and lts versions. Here's a PR to deprecate it

nelsontkq avatar Oct 18 '25 21:10 nelsontkq

The dead link detection that Repology performs doesn't seem very reliable. After @chrisdebian emailed me I went and checked for issues with protonmail-bridge, which I maintain. Repology lists the URL https://proton.me/mail/bridge as dead for 51 days which it is not.

I got curious and checked the first errors it lists in alphabetic order.

  • acccheck (reported dead, working perfectly)
  • anthy (reported as dead, actually dead)
  • blender (reported dead, working perfectly)
  • brother-dcp1510 (reported dead, working perfectly)
  • brscan4 (same URL as brother-dcp1510, same report)
  • busybox (reported dead, working perfectly)
  • calf (certificate error correctly reported)

5 out of 7 are incorrectly reported as dead.

FriesischScott avatar Oct 23 '25 18:10 FriesischScott

I am dropping Repology data as the basis of this issue. The issues flagged by Repology contains many false positives and sometimes outright wrong. We will focus on what is visible on our repo (via ripgrep).

malfisya avatar Nov 01 '25 11:11 malfisya

Didn't realize it is already under 100 packages 🎉

malfisya avatar Nov 15 '25 15:11 malfisya

Last mile tracker

Packages that are in a, b, d, l, n, ~~m~~, ~~p~~, py, q, r, s, t, u, ~~v~~, w, and y are still available.

  • @androidnisse tagged Py for themselves
  • @Jaredy899 tagged P for themselves

malfisya avatar Nov 15 '25 15:11 malfisya

Don't know if it is tracked or not but the current homepage for the below packages do not have a certificate.

  • seccure
  • shntool
  • socat

androidnisse avatar Nov 15 '25 19:11 androidnisse

python-pycurl has a broken certificate. This is reported as an issue on their github page.

androidnisse avatar Nov 16 '25 11:11 androidnisse