helixarch / debtap

A script for converting .deb packages into Arch Linux packages, focused on accuracy
GNU General Public License v2.0
1.37k stars 78 forks source link

malware? #45

Closed m-c-g closed 4 years ago

m-c-g commented 4 years ago

Why is cryptoseed getting installed as a dependency when packages such as Thorium reader, vivaldi, and slimjet are installed via debtap?

helixarch commented 4 years ago

Cryptoseed is one of the packages included in the official repositories of Manjaro, it is not part of Arch repositories. It is claimed to be safe by the Manjaro developers. It is detected as a dependency by the algorithms of debtap, but you can easily remove it by editing .PKGINFO during conversion. I have no intention to distribute malware, if you really think it is such. Even better, don't use debtap for packages that can be found in AUR. Thank you.

m-c-g commented 4 years ago

Thorium reader is not available in AUR. I've compiled it on MacOS, but didn't have all the tools installed on Manjaro. The other packages are ones that I've seen mentioned in Manjaro forums that exhibit the same behavior with debtap, I know that Vivaldi is in the repositories as I have it installed. I emailed the developers of Thorium to let them know what I was seeing and how I made the connection to debtap from the forums.

I'm guessing that somehow the package got pulled in as a dependency of one of thorium's dependencies. I don't know enough about it to blame the repository, debtap, or both.

The manjaro versions of these deb packages: libgtk-3-0, libnotify4, libnss3, libxss1, libxtst6, xdg-utils, libatspi2.0-0, libuuid1, libappindicator3-1, libsecret-1-0 shouldn't depend on a crypt wallet password generator (or whatever it is). (Those are the dependencies for EDRLab.ThoriumReader_1.1.2-alpha.1.2162_amd64.deb)

Perhaps, at least, documenting that this kind of thing might occur and how to work around it would be a good idea. Thank you for your efforts and apologies if I came off sounding like I was accusing you of anything. I thought you might have been hacked somehow.