Yeah, with nonames posting their own phone bricking scripts to chum, it should be considered harmful by default, so far assumed it is mostly upstream official packages getting a sfos repackaging that jolla couldn’t be bothered to package themselves, but alas, anyone it seems can just point to their own github and get it in chum, so be aware, as there is no way to blacklist such happy authors, you either get the whole of chum or nothing, hopefully there is a solution to still get official packages without opening yourself to such an injection, but not sure how it would work. In 12 years we had exactly one such repo/package in openrepos 11 years ago, now chum is another angle of attack it seems, so beware and have a recent backup
3 Likes
Any references to problematic content?
1 Like
Would avoid latest adblock solutions (but with chum the next better-adblock-2 can just put the problematic one in requires and we’re back to square one)
This is being a tad alarmist. You are free to install or not install whatever packages you like from chum, just as with openrepos,or any ftp site you find. With chum packages we guarantee the source is available, and it has been built with the latest sdk correct for your system, and it is using an open source license. There are no other guarantees.
24 Likes
Maybe, but with 0 QA between testing and non-testing, maybe Chum should expose the ‘maintainer’ field like extras-devel did, seeing a reputable name is behind packaging something should help alleviate some worries and at least it seemed to work fine for maemo, currently some packages have upstream developer name, some have sailfishos-chum and some have nothing, kind of a mess
Chum doesn’t allow anonymous maintainers, so the data should be there?
That doesn’t really help as there is no QA between testing and non-testing, maybe a third level of ‘tested’ should be added with some way for trusted community members to vote if they use given package and found no issues with it, that would require some extra development and infrastructure though, exposing the maintainer accountname should be pretty free in comparison
2 Likes
I’m afraid this post accidentally also exposes a thing chum guys never wanted/planned(CHUM considered harmful - #6 by mips_tux):
you have the choice between testing packages or not !
There is no difference between testing and not, so wording actually causes people to consider non-testing chum as somehow trustworthy/tested, while all you get is ‘it builds’, no chum guy is testing them, but the populace gets a false feeling of security by not ticking that button
Edit: trust is hard won and easily lost, with anon contributors now pushing experimental(or chatgpted) systemd services that they can’t be arsed to test… We need chum-prod now more than ever as the two steps below will be a mess, if chum guys consider chum as random ftp/warez server where anything goes, then fine, but the title seems adequate then
The testing repo is intended for package owners to ensure their packages build, before they are submitted to the chum admins to be promoted to the main repository.
If you do not wish to use chum, then do not use it, and stick with the Jolla store which has the resources to do QA on submissions.
4 Likes
Oh, the community that uses it has no resources to click a button ‘this package works for me’, suuure, but if this is chum official stance then it is harmful and should be treated as extras-devel
Sure, if you want to consider it harmful, then go ahead. I on the other hand, I consider chum quite trustworthy, and there has never been any mal-intent of any packager. Chum is -just- and OBS repository, there is no server backend with an API that would provide provide the facility you are talking about. If a github URL is provided with a package, then a star count will be visible, but this is entirely optional.
3 Likes
You dismiss any proposals to make it actually trustworthy. How hard would it be to expose maintaner’s accountname? 99.9% of them are trustworthy so a new noname would be a redflag. How about adding some community voting on the packages to promote, promoting from testing to chum:proper is currently just a formality with no checks, adding another level with votes from community would be worthwhile, should be also pretty easy to implement, instead: we are just a random ftp/warez site, don’t use
Ok, I won’t but don’t surprised when people don’t want to use your site if you can happily host rpms functionally not much different from malware (bbbut they meant well)
Adding the maintainer name to the list view is probably pretty easy, please submit a feature request at GitHub · Where software is built
The rest of the voting style system just isnt possible with how chum works. If you wish to build a server side application to do this, and submit a PR to add it into chum, then that would be a great addition. Thanks.
9 Likes
Thank you, the dismissive approach when chum was hosting bricking packages was really not productive
Edit: and I’m sure the community is full of productive and intelligent people that can come up with solutions to: community OBS is hosting malware and that’s all you get, just read all source code you dl, freaking extras-devel/testing/normal extras managed to fix that
Actually it’s even funnier, chum staff will promote your package if it builds, if it doesn’t build… How would they even try to promote it? The technical check: your package builds is already failing in :testing… Yeah testing<->nontesting split is imaginary, unless they can promote non-building package, but what??? Are people going to dl sources? The whole testing/nontesting split is a theatre
Edit2: yeah the staff check is non-existant, chum:testing is functionallly the same as chum, wonder if @rainemak or @vige could chime in if using forum accounts and maybe their level could somehow be used for chum:prod promotions, using randos from the street won’t really work, tying ‘tested’ upvotes with forum accounts would make sense? But is it legal…
Hi, “chum guy” here.
I can’t speak for all the contributers to Chum but I can assure you things are tested before submitting, at least by me.
I test drive my own creations for a time, in some (well at least one) cases literally years before publishing.
And I believe I can speak for other contributers and say you are out of place insulting all of us in this way.
Mistakes happen though, and while sometimes very annoying things can happen like in this case a nonbooting system, these things are very rare and you are blowing things way out of proportion.
9 Likes
I am not insulting anyone, I kept this thread free from pointing fingers at any one package or maintainer, I am asking you guise to speak up how you see this thing going forward, it is your reputation that is going down the drain when you accept chatgpt nonames into chum and people are angry when they download a bricking package
Edit: and if chum hosting a functional malware is not the right time to ask those questions, then never will and the thread theme remains, it should be considered harmful, again someone refusing to address situation and claiming DLing a bricking sw is fine, ok, but it’s fine for me to claim it’s harmful
What are you referring to ‘chargpt nonames’ … i thought the original issue was something to do with an adblocker?
1 Like
The guy was just throwing systemd configs that seemed from chatgpt at the wall, I have no proof it was chatgpt developer (but hallucinations woyld suggest that, does chum have AI detection? Pointless anyway)
The real underlying issue is the fact that systemd on Sailfish OS can trivially(1) be configured such that the device won’t boot because systemd goes into its “rescue”/single user mode without the chance of any in- or output happening.
This is something that would have merit tackling, not only for the two known cases of adblock packages triggeringit but also e.g. in the ‘half-updated-system’ case.
(1) EDIT: and not only trivially but inadvertently. It’s really hard to know which specific combination of unit dependecies can lead to that, even for experts in both systemd and Sailfish OS.
EDIT2: Plus, a focus in this are probably will improve things like the issues with nonworking touch screens on boot, delays or hangs after encryption unlock (seen since release of the X10).
But it’s complex as we see not even Jolla themselves can get it sorted sometimes.
3 Likes