Debian package

[ghost]

I've made a Debian package, available at https://github.com/bashrc/zeronet-debian

It's intended for Debian 8+, since it uses systemd. If anyone wants to test it that would be nice.

[HelloZeroNet]

Nice, built-in bootstrapping supported since 0.3.5, so you don't need separate bittorrent tracker.

• Rename plugins/disabled-Bootstrapper to plugins/Bootstrapper
• Add zero://bootstrapperhost:15441 to trackers list

example: https://github.com/HelloZeroNet/ZeroNet/blob/master/src/Config.py#L34 (the #... thing is only needed for ssl cert pinning to avoid mitm, you can skip that part)

[ghost]

Oh that's interesting. I'll do more testing and see if I can eliminate the separate tracker.

Also note that there is a hack which prevents the system from hanging indefinitely when on a mesh.

https://raw.githubusercontent.com/bashrc/zeronet-debian/master/start-zeronet-mesh

Ideally this might be a command option.

[ghost]

Adjusted this to use the built-in bootstrapping.

[adrelanos]

Could you post a Debian RFP please? Try to get this into official Debian repositories?

[ghost]

Ok

[adrelanos]

@adrelanos

Could you post a Debian RFP please? Try to get this into official Debian repositories?

@bashrc

Ok

Any updates?

[ghost]

As with previous attempts to get packages into debian, I post an RFP and then no replies. If anyone reading this is a debian developer and can help then let me know.

[adrelanos]

RFP is request for packaging aka feature request. Gets a lot less attention. If you are willing to contribute it, the RFP can be turned into an ITP, which is intent to package, then chances are a lot better.

There is a good chance, that Debian team PkgPrivacyMaintainers would be interested and supportive.

https://wiki.debian.org/Teams/PkgPrivacyMaintainers?action=show&redirect=Teams%2FAnonymityTools

Please consider signing up to and contacting them on the pkg-privacy-maintainers mailing list

https://lists.alioth.debian.org/mailman/listinfo/pkg-privacy-maintainers

[ghost]

Ok I'll try that.

[shirishag75]

Any updates ?

[adrelanos]

@bashrc ?

[ghost]

No updates. As mentioned, I've tried a few times to get various things into Debian but had no success.

[adrelanos]

Debian RFP posted here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850474

[adrelanos]

We at Whonix (anonymous operating system) (a derivative of Debian) like ZeroNet. If it was installable from packages.debian.org, we would very likely install it by default in the next release.

Thank you for working on ZeroNet!

[FedericoCeratto]

DD here. Building an official Debian package is not going to be easy due to the many dependencies in src/lib that need to be unvendorized (hopefully not all of them) and packaged independently where needed.

A good introduction for upstream developers to make distro-friendly applications: https://wiki.debian.org/UpstreamGuide

See also #382

Edit: also, there are relevant comments about ZeroNet security in the following thread: https://news.ycombinator.com/item?id=14041077

[ghost]

I doubt debian will accept packages that are hacking source code. It's really bad practices and should be avoid IMO.

[sergei-bondarenko]

@HelloZeroNet Please, add some labels, it's important issue.

[anoadragon453]

Just a heads up that the debian package code is mirrored here and here

[satoshisfriendz]

Just a heads up that the debian package code is mirrored here and here

Good idea!

[llelectronics]

Zeronets Python3 version is again very very hard to package for Debian as a lot of python3 modules it depends on are not in Debian (Testing/Sid) or disappeared from Debian due to security concerns or simply because they were deprecated. Would be nice if this could be taken care of somehow by maybe choosen modules that aren't deprecated.

edit: In details I meant mostly pyelliptic. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882561 Other issues because not packaged are: merkletools pyelliptic geventwebsocket bencode coincurve

[HelloZeroNet]

I also not happy about pyelliptic dependency, but unfortunately I have not found any other package that support ECIES encryption using OpenSSL. (required by CryptMessage plugin)

[FedericoCeratto]

I heard of other security concerns especially around having to run javascript in the browser e.g. #962 I doubt ZeroNet will be accepted in Debian.

[shirishag75]

I heard of other security concerns especially around having to run javascript in the browser e.g. #962 I doubt ZeroNet will be accepted in Debian.

minified javascript is always looked at great suspicion in Debian and IMO, rightly so as any malicious could be transported in a compressed format. There is also this https://www.gnu.org/philosophy/javascript-trap.html

That being said, there is lot of javascript tools which are being built in Debian but only if things are done in the right way. The social contract and Guidelines are great starting points https://www.debian.org/social_contract#guidelines as well as https://mentors.debian.net/intro-maintainers to get hooked into the whole thing.

[FedericoCeratto]

The problem is not about minification. ZeroNet is encouraging users to load contents and run untrusted js from anonymous sources without any vetting or whitelisting. Contrasted to the traditional web or Tor it is much easier for an attacker to inject malicious code without being detected.

[shirishag75]

The problem is not about minification. ZeroNet is encouraging users to load contents and run untrusted js from anonymous sources without any vetting or whitelisting. Contrasted to the traditional web or Tor it is much easier for an attacker to inject malicious code without being detected.

That is also the problem, but then AFAIK this is how things are in regular browsers as well. I don't know of any steps taken by mainstream browsers not to run untrusted js unless you are aware of the issues.

[HelloZeroNet]

I'm totally understand and accept if it does not get accepted to the repository, but ZeroNet does not runs any untrusted js code on the computer. If they have problem with that concept, then they should remove the Firefox package.

As for the minified javascript: What would be the correct way to do it? Include it jquery in non-minified form is fine?