Folding Forum

Hi guys,

I would like to request permission to redistribute your linux binaries (from the debian package) as a native Arch Linux package in our official repositories to make the client accessible to a broader audience in these trying times. Such permission was granted to Gentoo about 8 years ago (the forum won't let me link the post, apologies), I hope we can come to a similar agreement. You may already know that the Arch Linux team (45032) is very active, and I believe this would make it grow even more.

Our security team would also like to contact you about the use of rpath, is there someone we can reach about this via email?

Thank you very much in advance.

I think it is already in AUR here

There are several packages in AUR indeed, but the AUR is for user packages, not official ones, hence doesn't have the same exposure. Note that these AUR packages are not binary redistributions of FAH binaries, merely script that do the heavy lifting of downloading and installing the official FAH debian package on Arch Linux.

Since this isn't getting much attention, could someone point me to an email address I could write to about this matter?

Hey! Seen it now, I'm going to raise it on the F@h call in 20 minutes.

Great, thank you! Looking forward to hearing from you.

@rafwiewiora Do you have any news regarding this?

alucryd wrote:Note that these AUR packages are not binary redistributions of FAH binaries, merely script that do the heavy lifting of downloading and installing the official FAH debian package on Arch Linux.

A script that installs from the official source satisfies the licensing requirement. A redistribution from another source potentially introduces new sources of malware that would need to be certified. Why do you believe it is important to redistribute binaries from a new server?

I'll PM you an email if you still need to talk to somebody official about it.

Goodness, I hadn't realized we didn't already attach an explicit license granting permission to distribute broadly. We'll get this fixed ASAP.

Thanks for bringing this to our attention!

~ John Chodera // MSKCC

Still working on this---thanks for your patience!

~ John Chodera // MSKCC

If distribution of FAH from mirror servers gets enabled then FAH server also needs to provide binary checksums sha265/sha1/md5 to verify file integrity from mirror servers.

foldy wrote:If distribution of FAH from mirror servers gets enabled then FAH server also needs to provide binary checksums sha265/sha1/md5 to verify file integrity from mirror servers.

They should provide PGP signatures of the binaries like the Linux kernel or PGP signatures of the checksum files like Firefox. Anyone could post fake checksum files of modified binaries. Signatures can be verified with GPG after importing their key from a keyserver.

https://www.kernel.org/signature.html

I don't really see what problem this solves. The binaries are easily available from the official provider and are small. Why do they need to be included in an OS download?

They most definitely should NOT be included in an OS download. In the past, unofficial versions have been used to borg clients with a per-configured version sending credits to a pre-defined team or a pre-defined individual. We don't need folks trying to steal credits that belong elsewhere.

Having mirror servers might solve a congestion problem at the official site if we had one, but I've never seen a report of anybody having trouble getting the official copies from the official site.