1 Topic by Other_Cody

  • Other_Cody
  • Guest

Topic: The community helping the community.

At the

https://forums.hyperbola.info/viewtopic … 8101#p8101

topic

I was not trying to mix minetest and radare2 from a patching point, but for this first part I saw

minetest: remove package, upstream has no interest to work together for older versions

so minetest developers may not backport security fixes to old releases.

Than about this first part I saw

We do not backport security fixes to old releases.

in the SECURITY.md file.

So I though for this first part of the topic that the Hyperbola community also looks for packages that get upstream backport patch help.

And if upstream the developers did not have "interest to work together for older versions" for those downstream for backports than it may be removed.

I did see a minetest patch may not have helped as there may have been or still are "several other vulnerabilities" but I was mostly seeing how Hyperbola developers handled an upstream package, like minetest, that did not backport security fixes to old releases, as it looked like radare2 had a similar policy about backports.

https://wiki.hyperbola.info/doku.php?id … philosophy

For the second part of this topic I did not know there was a "CURRENT" thread about radare2 to post at. Nor did I wish to make more work for anyone.

But if any one on the forum also had more information about radare2 or the CVE things than a community/anyone_on_this_forum could also post a fix, or idea about what to do about radare2 here.

As there may also be many people who use the forum who also could help find or make a solution that could be acceptable to both the Hyperbola's main team as well as others. So everyone may find a solution that works best for them, as well as hopefully others as well. Be it a patch, fork, or removal, or something else.

https://wiki.hyperbola.info/doku.php?id … y_software

I did not yet look that much for a solution as I did not use this program much. I think I only tested this with the graphical radare2 once, and that was some time ago. I think the name was radare2-cutter, though I do not know.

Nor did I know what the community/anyone thought to do in this case. So this topic was made to see what anyone thought was the best policy/thing_to_do.

If there is a better place to post ways_forward/community_policy discussions about packages/policies I could use that.

Maybe the IRC channel could have been better, though a forum post could help in-case many people do not login at the same time. As clear communication between all involved in anything can help, though I do not wish to send too much text, as that could fill a "chat log" or forum.

https://wiki.hyperbola.info/doku.php?id … c_channels

Maybe a distributed communication thing could help, though I see

also social implications as no platform has brought people more together

https://forums.hyperbola.info/viewtopic … 8063#p8063

and I may also think that "a specialized forum and smaller communities" could help.

So that is why I thought the forum was a nice place to post it at.

Thank you, throgh, for the information about that there are more minetest problems. Though I mostly was looking about any Hyperbola policy of what to do about updates/upstream problems with any program, as the community may have had/has ideas about how to handle that, to also help out the main developers.

I also do not know much yet about how to fix/fork minetest to remove it's vulnerabilities. Or where to find out more information about those vulnerabilities, as those may not yet be listed at https://cve.mitre.org/cgi-bin/cvekey.cg … d=minetest

Or a fix for radare2, but the community may have known and also could help the main developers.

So I can see removing a package with known vulnerabilities can help security. Till the community thinks of a solution that everyone may like.

Also thank you for the information about radare2.

Same for radare2. Closing thread.

This post is partly to say thank you for the information about radare2.

I just reported quickly at the other post to not ignore any issue I may have found, as the community may have found a way forward, even if I did not yet.

The main reason for this post is for the community to post about "community-oriented and -driven software" as well as typing about the best way for the community can help/support_each_other make software "from the community for the community" and for the community to type about the best way for the community to communicate with the community.

Maybe a community made program to communicate with the community will be the first think typed about by the community, to keep comunications open.

Though the community can also use the forum.

2 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,924

Re: The community helping the community.

As said: Thanks for reporting. And another news about radare2: I have used the situation to ...

1. Update capstone and radare2 as the package itself maybe no issue for removal but also possible more important in the future as we speak about disassembling and debug, which are important fields for understanding.
2. Clearing up current problems with our testing-repositories. Emulatorman researched further and we had a restart and a short downtime with solving the issues.

So you can see here: It was and is helpful. Problem is and stays more the reporting ways but we work at the moment on further solutions as we want really to reach more engagement in the community. Every user can be also a possible maintainer, tester or developer. smile
And we think it is not the duty but the possibility for everyone. Just a decision done out of will and curiosity. But it would lead too much away now if we discuss that matter on a higher level. Thanks for reporting! And radare2 stays important: We speak here of reverse engineering at a point. Yes, it is not legal doing so in general, but the case meant from my view is reverse engineering to recover data a user lost, saving perhaps even before privacy breaches or loosing memories within the data. So the point should never be as hard as to remove the package fully, especially not when it is that important. While minetest for example can be build local from the user at any time without any further loss - I did it myself using now version 5.4.1 (last one without zstd). Saving memories also from my nephews and me surely! wink

Yes: "Community helping the community" as a good point, may I borrow this? Or I ask clear: Do you allow the usage of this phrase in the wiki-article I speak of?

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

3 Reply by Other_Cody

  • Other_Cody
  • Guest

Re: The community helping the community.

throgh wrote:

As said: Thanks for reporting. And another news about radare2: I have used the situation to ...

1. Update capstone and radare2 as the package itself maybe no issue for removal but also possible more important in the future as we speak about disassembling and debug, which are important fields for understanding.
2. Clearing up current problems with our testing-repositories. Emulatorman researched further and we had a restart and a short downtime with solving the issues.

So you can see here: It was and is helpful. Problem is and stays more the reporting ways but we work at the moment on further solutions as we want really to reach more engagement in the community. Every user can be also a possible maintainer, tester or developer. smile
And we think it is not the duty but the possibility for everyone. Just a decision done out of will and curiosity. But it would lead too much away now if we discuss that matter on a higher level. Thanks for reporting! And radare2 stays important: We speak here of reverse engineering at a point. Yes, it is not legal doing so in general, but the case meant from my view is reverse engineering to recover data a user lost, saving perhaps even before privacy breaches or loosing memories within the data. So the point should never be as hard as to remove the package fully, especially not when it is that important. While minetest for example can be build local from the user at any time without any further loss - I did it myself using now version 5.4.1 (last one without zstd). Saving memories also from my nephews and me surely! wink

Yes: "Community helping the community" as a good point, may I borrow this? Or I ask clear: Do you allow the usage of this phrase in the wiki-article I speak of?

I think reverse engineering could also help check that free software is built the way the user wishes it should be, even though that has source code, as disassembling and debug programs can help.

I'm glad the report helped, and thank you and anyone else who also helped update capstone and radare2, and the other Hyperbola things. And you, or anyone, can use/edit the phrase "Community helping the community" anywhere.

4 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,924

Re: The community helping the community.

Thanks for the feedback. smile Exactly that sentence will be part of the new article.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!