[tor-talk] Mailpile SMTorP [ref: nexgen P2P email]

Jonathan Wilkes jancsika at yahoo.com
Sun May 24 02:07:18 UTC 2015 

On 05/22/2015 05:52 AM, Ben Tasker wrote:
> What procedure did you use to try and make the package? I'm running
> Mailpile and definitely don't have node set up.
>
> If you're building the dev version, one of it's requirement's is nose so
> perhaps there's a typo kicking about?
>
> On Fri, May 22, 2015 at 12:38 AM, Yuri <yuri at rawbw.com> wrote:
>
>> On 05/21/2015 15:47, Ruben Pollan wrote:
>>
>>> I find really funny when people rant about things without even looking on
>>> what
>>> they are talking about.
>>>
>>> Mailpile does not use node, it's written in python and all the javascript
>>> of it
>>> is for the browser. Up to now mailpile is in a beta status and is too
>>> soon to
>>> value if their distribution methods are trustworthy.
>>>
>> Please don't hurt yourself while falling from your chair laughing, because
>> I tried to make a package and it breaks:
>> --- js ---
>> bower install
>> env: node: No such file or directory
>> *** [js] Error code 127
>>
>> Did you just say *Mailpile does not use node* ?

 From the Mailpile Makefile:
debian-dev:
     sudo apt-get install python-imaging python-lxml python-jinja2 pep8 \
                          ruby-dev yui-compressor python-nose spambayes \
                          phantomjs python-pip python-mock npm
     if [ "$(shell cat /etc/debian_version)" = "jessie/sid"  ]; then\
         sudo apt-get install rubygems-integration;\
     else \
         sudo apt-get install rubygems; \
     fi
     sudo apt-get install python-pgpdump || pip install pgpdump
     sudo pip install 'selenium>=2.40.0'
     which lessc >/dev/null || sudo gem install therubyracer less
     which bower >/dev/null || sudo npm install -g bower
     which uglify >/dev/null || sudo npm install -g uglify
...

I'm not a security specialist, but it looks like if you don't already 
have bower
and uglify installed on your Debian system this will attempt to download
the unsigned packages using npm.

On Jessie:
aptitude search bower
returns nothing.

But
aptitude search uglify
p   node-uglify                     - JavaScript parser, 
mangler/compressor and
v   uglifyjs                        -

On both Jessie and Wheezy, Mailpile's Makefile will pull a node module 
from an
unsigned package manager even though that same package is available from
a Debian mirror (where the packages _are_ signed).

In any case, someone should make the relevant (and trivial) fix to the 
build script.
Plus address any other trivial problems that reveal an alarming lack of 
discipline
for software attempting to juggle both secure and insecure messaging in 
the same UI.

-Jonathan

>>
>>
>> Yuri
>> --
>> tor-talk mailing list - tor-talk at lists.torproject.org
>> To unsubscribe or change other settings go to
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>
>

More information about the tor-talk mailing list