Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debian package #241

Open
ghost opened this issue Jan 18, 2016 · 26 comments
Open

Debian package #241

ghost opened this issue Jan 18, 2016 · 26 comments

Comments

@ghost
Copy link

@ghost ghost commented Jan 18, 2016

I've made a Debian package, available at https://github.com/bashrc/zeronet-debian

It's intended for Debian 8+, since it uses systemd. If anyone wants to test it that would be nice.

@HelloZeroNet

This comment has been minimized.

Copy link
Owner

@HelloZeroNet HelloZeroNet commented Jan 18, 2016

Nice, built-in bootstrapping supported since 0.3.5, so you don't need separate bittorrent tracker.

  • Rename plugins/disabled-Bootstrapper to plugins/Bootstrapper
  • Add zero://bootstrapperhost:15441 to trackers list

example: https://github.com/HelloZeroNet/ZeroNet/blob/master/src/Config.py#L34 (the #... thing is only needed for ssl cert pinning to avoid mitm, you can skip that part)

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Jan 18, 2016

Oh that's interesting. I'll do more testing and see if I can eliminate the separate tracker.

Also note that there is a hack which prevents the system from hanging indefinitely when on a mesh.

https://raw.githubusercontent.com/bashrc/zeronet-debian/master/start-zeronet-mesh

Ideally this might be a command option.

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Jan 25, 2016

Adjusted this to use the built-in bootstrapping.

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Feb 20, 2016

Could you post a Debian RFP please? Try to get this into official Debian repositories?

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Feb 21, 2016

Ok

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Jun 15, 2016

@adrelanos

Could you post a Debian RFP please? Try to get this into official Debian repositories?

@bashrc

Ok

Any updates?

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Jun 15, 2016

As with previous attempts to get packages into debian, I post an RFP and then no replies. If anyone reading this is a debian developer and can help then let me know.

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Jun 15, 2016

RFP is request for packaging aka feature request. Gets a lot less
attention. If you are willing to contribute it, the RFP can be turned
into an ITP, which is intent to package, then chances are a lot better.

There is a good chance, that Debian team PkgPrivacyMaintainers would be
interested and supportive.

https://wiki.debian.org/Teams/PkgPrivacyMaintainers?action=show&redirect=Teams%2FAnonymityTools

Please consider signing up to and contacting them on the
pkg-privacy-maintainers mailing list

https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Jun 15, 2016

Ok I'll try that.

@shirishag75

This comment has been minimized.

Copy link

@shirishag75 shirishag75 commented Aug 23, 2016

Any updates ?

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Jan 5, 2017

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Jan 5, 2017

No updates. As mentioned, I've tried a few times to get various things into Debian but had no success.

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Jan 6, 2017

@adrelanos

This comment has been minimized.

Copy link
Contributor

@adrelanos adrelanos commented Jan 24, 2017

We at Whonix (anonymous operating system) (a derivative of Debian) like ZeroNet. If it was installable from packages.debian.org, we would very likely install it by default in the next release.

Thank you for working on ZeroNet!

@FedericoCeratto

This comment has been minimized.

Copy link

@FedericoCeratto FedericoCeratto commented Jan 24, 2017

DD here. Building an official Debian package is not going to be easy due to the many dependencies in src/lib that need to be unvendorized (hopefully not all of them) and packaged independently where needed.

A good introduction for upstream developers to make distro-friendly applications: https://wiki.debian.org/UpstreamGuide

See also #382

Edit: also, there are relevant comments about ZeroNet security in the following thread: https://news.ycombinator.com/item?id=14041077

@ghost

This comment has been minimized.

Copy link
Author

@ghost ghost commented Apr 1, 2017

I doubt debian will accept packages that are hacking source code. It's really bad practices and should be avoid IMO.

@sergei-bondarenko

This comment has been minimized.

Copy link
Contributor

@sergei-bondarenko sergei-bondarenko commented Aug 15, 2017

@HelloZeroNet Please, add some labels, it's important issue.

@anoadragon453

This comment has been minimized.

Copy link
Contributor

@anoadragon453 anoadragon453 commented Sep 9, 2018

Just a heads up that the debian package code is mirrored here and here

@satoshisfriendz

This comment has been minimized.

Copy link

@satoshisfriendz satoshisfriendz commented Sep 12, 2018

Just a heads up that the debian package code is mirrored here and here

Good idea!

@llelectronics

This comment has been minimized.

Copy link

@llelectronics llelectronics commented Mar 19, 2019

Zeronets Python3 version is again very very hard to package for Debian as a lot of python3 modules it depends on are not in Debian (Testing/Sid) or disappeared from Debian due to security concerns or simply because they were deprecated. Would be nice if this could be taken care of somehow by maybe choosen modules that aren't deprecated.

edit: In details I meant mostly pyelliptic. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882561
Other issues because not packaged are:
merkletools
pyelliptic
geventwebsocket
bencode
coincurve

@HelloZeroNet

This comment has been minimized.

Copy link
Owner

@HelloZeroNet HelloZeroNet commented Mar 19, 2019

I also not happy about pyelliptic dependency, but unfortunately I have not found any other package that support ECIES encryption using OpenSSL. (required by CryptMessage plugin)

@FedericoCeratto

This comment has been minimized.

Copy link

@FedericoCeratto FedericoCeratto commented Mar 19, 2019

I heard of other security concerns especially around having to run javascript in the browser e.g. #962
I doubt ZeroNet will be accepted in Debian.

@shirishag75

This comment has been minimized.

Copy link

@shirishag75 shirishag75 commented Mar 19, 2019

I heard of other security concerns especially around having to run javascript in the browser e.g. #962
I doubt ZeroNet will be accepted in Debian.

minified javascript is always looked at great suspicion in Debian and IMO, rightly so as any malicious could be transported in a compressed format. There is also this https://www.gnu.org/philosophy/javascript-trap.html

That being said, there is lot of javascript tools which are being built in Debian but only if things are done in the right way. The social contract and Guidelines are great starting points https://www.debian.org/social_contract#guidelines as well as https://mentors.debian.net/intro-maintainers to get hooked into the whole thing.

@FedericoCeratto

This comment has been minimized.

Copy link

@FedericoCeratto FedericoCeratto commented Mar 19, 2019

The problem is not about minification. ZeroNet is encouraging users to load contents and run untrusted js from anonymous sources without any vetting or whitelisting. Contrasted to the traditional web or Tor it is much easier for an attacker to inject malicious code without being detected.

@shirishag75

This comment has been minimized.

Copy link

@shirishag75 shirishag75 commented Mar 19, 2019

The problem is not about minification. ZeroNet is encouraging users to load contents and run untrusted js from anonymous sources without any vetting or whitelisting. Contrasted to the traditional web or Tor it is much easier for an attacker to inject malicious code without being detected.

That is also the problem, but then AFAIK this is how things are in regular browsers as well. I don't know of any steps taken by mainstream browsers not to run untrusted js unless you are aware of the issues.

@HelloZeroNet

This comment has been minimized.

Copy link
Owner

@HelloZeroNet HelloZeroNet commented Mar 19, 2019

I'm totally understand and accept if it does not get accepted to the repository, but ZeroNet does not runs any untrusted js code on the computer. If they have problem with that concept, then they should remove the Firefox package.

As for the minified javascript: What would be the correct way to do it? Include it jquery in non-minified form is fine?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.