Indeed, it’s the issue here:
In the meanwhile you can use the worm-git package.
1 Like
Yep that worked just fine. 
1 Like
@codic12
i got 100% success with worm. thanks a lot. still need to put the helpers in place. right now i dont have a way to exit. so got to F2 login and reboot. 
will post the screenshot once i got everything working.
1 Like
You can bind something to pkill worm, which will exit the session.
1 Like
I’ve just started proper work on it, now that v0.1 is released. Thread: Community Edition - worm
btw, @manuel, would it be possible to review the tagged pkgbuild created by moson so that it can be added to repos for community edition? 
1 Like
Tldr
Is there a link to the pkgbuild? Are there any specifics to review?
Could do that probably tomorrow.
https://aur.archlinux.org/packages/worm/ this AUR package. nothing specific, just to make sure it’s safe to include in the repositories so that that can be done.
1 Like
I’m right handed so i like em on the right! Left is just odd! 
1 Like
feeling very sorry to kill a worm. i am vegan here. jk
learning new things from you @codic12
1 Like
Seems the sha sum changed again. 
I’ve pushed 0.1.0-3
@codic12 Better create a new version, (e.g. 0.1.1) after any changes. Otherwise the package will break since the sums won’t match (and I won’t notice). With a new release/tag I get notifications from github and can take action…
3 Likes
PKGBUILD looks OK to me.
The only theoretical doubt is the nim makedepend, it is regadred as High risk for security:
$ arch-audit
nim is affected by multiple issues. High risk!
But I guess I can live with it. 
So, just tell me when this is needed in our repo.
I’ll create a new version next time, but I didn’t upload anything new to v0.1 branch. not sure why this happened
1 Like
Seems to be these two bugs:
In Nim, the uri.parseUri function which may be used to validate URIs accepts null bytes in the input URI. This behavior could be used to bypass URI validation. For example: parseUri(“http://localhost\0hello”).hostname is set to “localhost\0hello”. Additionally, httpclient.getContent accepts null bytes in the input URL and ignores any data after the first null byte. Example: getContent(“http://localhost\0hello”) makes a request to localhost:80. An attacker can use a null bytes to bypass the check and mount a server-side request forgery (SSRF) attack.
A vulnerability in all versions of Nim-lang allows unauthenticated attackers to write files to arbitrary directories via a crafted zip file with dot-slash characters included in the name of the crafted file. (from libzip)
Worm doesn’t use either, so it’s fine 
2 Likes
So is worm now ready to be added to our repo?
1 Like
Is the AUR package ok? I’m getting validation errors, even after refreshing mirrors and lowering the -a value for synchronization age. The SHA sum might not have propagated?
Here’s output from paru:
:: Downloading PKGBUILDs...
PKGBUILDs up to date
nothing new to review
fetching devel info...
==> Making package: worm 0.1.0-2 (Tue 14 Dec 2021 09:52:00 AM PST)
==> Retrieving sources...
-> Found worm-0.1.0.tar.gz
==> Validating source files with sha512sums...
worm-0.1.0.tar.gz ... FAILED
==> ERROR: One or more files did not pass the validity check!
error: failed to download sources for 'worm-0.1.0-2':
error: packages failed to build: worm-0.1.0-2
ah, forgot .SRCINFO…
Try now
1 Like
Ok, that was speedy @moson! And the mirror I hit had the update already. Got worm installed, no validation errors of the package. I’ll check this out later when I have some free time.
Looking forward to future AUR updates. Thank @codic12 everyone!
2 Likes
Because there is no mirror