Debian package #241
Comments
|
Nice, built-in bootstrapping supported since 0.3.5, so you don't need separate bittorrent tracker.
example: https://github.com/HelloZeroNet/ZeroNet/blob/master/src/Config.py#L34 (the #... thing is only needed for ssl cert pinning to avoid mitm, you can skip that part) |
|
Oh that's interesting. I'll do more testing and see if I can eliminate the separate tracker. Also note that there is a hack which prevents the system from hanging indefinitely when on a mesh. https://raw.githubusercontent.com/bashrc/zeronet-debian/master/start-zeronet-mesh Ideally this might be a command option. |
|
Adjusted this to use the built-in bootstrapping. |
|
Could you post a Debian RFP please? Try to get this into official Debian repositories? |
|
Ok |
Any updates? |
|
As with previous attempts to get packages into debian, I post an RFP and then no replies. If anyone reading this is a debian developer and can help then let me know. |
|
RFP is request for packaging aka feature request. Gets a lot less There is a good chance, that Debian team PkgPrivacyMaintainers would be https://wiki.debian.org/Teams/PkgPrivacyMaintainers?action=show&redirect=Teams%2FAnonymityTools Please consider signing up to and contacting them on the https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers |
|
Ok I'll try that. |
|
Any updates ? |
|
@bashrc ? |
|
No updates. As mentioned, I've tried a few times to get various things into Debian but had no success. |
|
Debian RFP posted here: |
|
We at Whonix (anonymous operating system) (a derivative of Debian) like ZeroNet. If it was installable from packages.debian.org, we would very likely install it by default in the next release. Thank you for working on ZeroNet! |
|
DD here. Building an official Debian package is not going to be easy due to the many dependencies in src/lib that need to be unvendorized (hopefully not all of them) and packaged independently where needed. A good introduction for upstream developers to make distro-friendly applications: https://wiki.debian.org/UpstreamGuide See also #382 Edit: also, there are relevant comments about ZeroNet security in the following thread: https://news.ycombinator.com/item?id=14041077 |
|
I doubt debian will accept packages that are hacking source code. It's really bad practices and should be avoid IMO. |
|
@HelloZeroNet Please, add some labels, it's important issue. |
|
Zeronets Python3 version is again very very hard to package for Debian as a lot of python3 modules it depends on are not in Debian (Testing/Sid) or disappeared from Debian due to security concerns or simply because they were deprecated. Would be nice if this could be taken care of somehow by maybe choosen modules that aren't deprecated. edit: In details I meant mostly pyelliptic. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882561 |
|
I also not happy about pyelliptic dependency, but unfortunately I have not found any other package that support ECIES encryption using OpenSSL. (required by CryptMessage plugin) |
|
I heard of other security concerns especially around having to run javascript in the browser e.g. #962 |
minified javascript is always looked at great suspicion in Debian and IMO, rightly so as any malicious could be transported in a compressed format. There is also this https://www.gnu.org/philosophy/javascript-trap.html That being said, there is lot of javascript tools which are being built in Debian but only if things are done in the right way. The social contract and Guidelines are great starting points https://www.debian.org/social_contract#guidelines as well as https://mentors.debian.net/intro-maintainers to get hooked into the whole thing. |
|
The problem is not about minification. ZeroNet is encouraging users to load contents and run untrusted js from anonymous sources without any vetting or whitelisting. Contrasted to the traditional web or Tor it is much easier for an attacker to inject malicious code without being detected. |
That is also the problem, but then AFAIK this is how things are in regular browsers as well. I don't know of any steps taken by mainstream browsers not to run untrusted js unless you are aware of the issues. |
|
I'm totally understand and accept if it does not get accepted to the repository, but ZeroNet does not runs any untrusted js code on the computer. If they have problem with that concept, then they should remove the Firefox package. As for the minified javascript: What would be the correct way to do it? Include it jquery in non-minified form is fine? |
I've made a Debian package, available at https://github.com/bashrc/zeronet-debian
It's intended for Debian 8+, since it uses systemd. If anyone wants to test it that would be nice.
The text was updated successfully, but these errors were encountered: