official zeronet is abandoned, please patch or replace with active forks

[caryoscelus]

even though Nix contains the latest official release of ZeroNet , official version is no longer updated and is becoming harder and harder to use (the most important thing – tor onion-v3 compatibility – can be solved with a patch) . however , we have a couple of more or less active forks (i'm the lead developer/maintainer of https://github.com/zeronet-conservancy/zeronet-conservancy) . i'm not sure what is the process of deprecating and replacing packages with forks , but since none of the forks can be considered official i feel like the best option is to make a package under new name and mark zeronet package as deprecated (suggesting updating to alternative)

Checklist

• [x] Checked the nixpkgs master branch
• [x] Checked the nixpkgs pull requests

Project name

nix search name: zeronet current version: 0.7.1 desired version: zeronet-conservancy and/or zeronetx

Notify maintainers

maintainers: @fgaz

Note for maintainers

Please tag this issue in your PR.

PS: i'm not yet Nix user (even though very excited by the distro and planning to switch on my next machine ^_^) , which is why i'm only submitting an issue rather than a PR myself

[fgaz]

Hi, thanks for reaching out!

We should definitely mark zeronet as deprecated sooner or later... a project like that needs security updates.

I see a couple of other forks (and even a rust reimplementation!) but yours does look like the most active. One of the forks is even named like one of your suggestions, zeronetx, and it'd be best to avoid confusion. Maybe you could collaborate with @canewsin and/or @geekless so that there's more consensus on a successor?

cc @Madouura, what do you think?

[Madouura]

I'm not entirely sure, but I'm leaning towards keeping the zeronet package as-is, but throwing a warning somewhere and a suggestion to use something like zeronet-conservancy. How does marking as deprecated work in nixpkgs?

[caryoscelus]

Maybe you could collaborate with @canewsin and/or @geekless so that there's more consensus on a successor?

i've been trying to contact @geekless since i've learned about the two forks situation , but to no avail . while they haven't disappeared off the online as completely as @shortcutme , they don't answer any inquirers in regards to zeronet or anything else . if i manage to contact them i'd be glad to discuss the future of 0net and/or consolidate efforts . the idea of integrating changes @geekless made is on the table though , but it'll require quite a lot of auditing (the branch is called massive-rework ^_^)

as for @canewsin , i consider their approach to fork harmful to community (i don't want to sound like i'm keen for drama , but the reason i've made my fork in the first place is that i think impersonating official zeronet (that was made on the network , wikipedia and zeronetx project page which copied original official site without changing the name or mentioning that it's a fork – it took like a month to convince to add distinguishing branding) is very bad , regardless of whether intentions or the code itself is malicious or not) , and our conversations didn't bring much fruitfulness so unless there's someone to mediate i don't think there's much hope for consensus

One of the forks is even named like one of your suggestions, zeronetx

yeah , i was referring specifically to that fork ;)

[vcunat]

If it has security issues, I'd suggest meta.knownVulnerabilities = [ "some explanation" ]; (or CVE numbers if they exist)

[fgaz]

The zeronet package is indeed vulnerable. I did some research about the fork and I'm in favor of pushing users towards zeronet-conservancy.

I opened #173900 to address this.