Housekeeping #3160
oprphaned blacklisted packages in the repos
0%
Description
electron11, electron12, electron13, electron14, electron15, and dependents thereof including react-native-debugger, cozy-desktop, and bitwarden are somehow in the repos despite also being on the blacklist.
The same goes for emby-theater although it is not on the blacklist and has no explicit dependency on electron.
element-web is not on the blacklist but does have explicit dependence on electron.
History
Updated by bill-auger over 2 years ago
i confirm that those packages are in the repos - im not sure how that happened - but FWIW, pacman refuses to install those packages, as expected
$ sudo pacman -S electron15 [sudo] password for bill: resolving dependencies... looking for conflicting packages... :: electron15 and your-freedom are in conflict. Remove your-freedom? [y/N] y error: failed to prepare transaction (could not satisfy dependencies) :: removing your-freedom breaks dependency 'your-freedom' required by base $ sudo pacman -S electron15 [sudo] password for bill: resolving dependencies... looking for conflicting packages... :: electron15 and your-freedom are in conflict. Remove your-freedom? [y/N] n error: unresolvable package conflicts detected error: failed to prepare transaction (conflicting dependencies) :: electron15 and your-freedom are in conflict
it may be a good idea to have the repo-linter check for those routinely
Updated by gap over 2 years ago
Will emby-theater install?
It isn't on the blacklist and has no explicit dependency listed for Electron, so it won't conflict with your-freedom.
Updated by gap over 2 years ago
I just checked to see if this is limited to electron, and it turns out that another blacklisted package, discord-canary, is present in the repos.
Are the repos out of sync with the blacklist, or did the program which purges the blacklisted packages fail, perhaps?
I'm not familiar with the server-side machinery which maintains the repos, although I'd love to learn.
Updated by bill-auger over 2 years ago
FWIW elemental-web deserve special note - its specific purpose is to not depend on electron; but to allow the user to run it in each's preferred web browser - it is exemplary of libre-minded web-development
it looks that several others have slipped-in or been orphaned over the years - the linter could report something like so:
$ blacklist_file=/usr/share/doc/your-freedom/blacklist.txt $ pkgs=( $(cut -f 1 -d ':' $blacklist_file | grep -v '#') ) $ for pkg in ${pkgs[*]} > do pacman -Ss ^"${pkg}"$ | grep -vE ^' |libre|nonsystemd' && echo "$pkg" >> logfile > done .... $ wc -l logfile 19 logfile
Updated by bill-auger over 2 years ago
- Priority changed from bug to freedom issue
- Status changed from unconfirmed to open
- Subject changed from Many electron packages are somehow in the repos to oprphaned blacklisted packages in the repos
- Tracker changed from Freedom Issue to Housekeeping
setting to 'housekeeping' - i doubt that parabola's pacman would install any of these
Updated by bill-auger over 2 years ago
- Assignee set to bill-auger
- Status changed from open to in progress
some of those were false-positives - it happened because the SSL cert expired for git.parabola.nu, causing the repo importer's blacklist filter to fallback on its previous cached version; so newly blacklisted packages (since ~december) were not filtered
ive resolved this ticket and wrote a script to detect future freezes, if needed for the repo-linter - those packages should delete themselves within a few hours
Updated by gap over 2 years ago
As far as element-web goes, at least it doesn't depend on electron and is ethical in that it's free software and a step towards decentralised and private messaging, but as a technical opinion, JS is a terrible language, and relying on a web browser for secure messaging is a beyond terrible idea.
Thank you for blacklisting emby-theater and fixing this issue essentially overnight. :)
Please may I be pointed towards the server-side infrastructure repo?
I see the blacklist and abslibre repos, but I can't find the repo-linter you're referring to.
I'd like to learn how it works and help build/maintain packages once I've learnt enough.
Updated by bill-auger over 2 years ago
the blacklist is not in abslibre - it has its own repo
https://git.parabola.nu/blacklist.git/
thre repo-linter code is also a git repo git.parabola.nu
https://git.parabola.nu/~oaken-source/parabola-repolint.git/
there is probably very little to be learned about packaging, by
reading the repo=linter - the parabola and arch wikis are far
better resources for learning arch packaging