alpinelinux / aports-turbo Goto Github PK

The search is case-sensitive, it would be more intuitive if the search would be case-insensitive.
As package names are always lower-case there should not be any problems.

It is possible that two maintainers might have the same name if it is a common one. So we should use email addresses instead.

Flagging stable packages makes no sense as we never upgrade versions in stable except for bugs and security issues. We should instead change the flag button to a report button and redirect to bugs.alpinelinux.org.

In the flagged section when there are limited results the tooltip applied to the message icon will be hidden behind the parent div which has overflow-x:auto set. We need overflow-x to make the table kind of usable on smaller screens.
One solution would be to make the parent div min-height set to 100% to allow the tooltip to use the extra space below the table, but this does not work.
A solution without the use of JavaScript would be preferred.

As apk-tools will probably never have this feature, maybe it would be a nice addition to add them to its own table in our db.

Hey,
it would be very awesome if you could add an OpenSearch description file. That way the user cann add the package search to the browser and simply use the browser to search dircetly thru the package database.

I addded you an untested version of the correct xml and header tag.

<link rel="search" type="application/opensearchdescription+xml" href="opensearch.xml" title="Alpine Linux Package Database"/>

<?xml version="1.0" encoding="UTF-8"?>
<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://mozilla.org/2006/browser/search">
    <ShortName>Alpine Linux Package Database</ShortName>
    <Description>Search for Alpine Linux packages (apk)</Description>
    <Tags>linux alpine packages apk</Tags>
    <Contact>[email protected]</Contact>
    <Url type="text/html" method="GET" template="https://pkgs.alpinelinux.org/packages">
    <Param name="name" value="{searchTerms}"/>
    <Param name="repo" value="all"/>
    <Param name="arch" value="x86_64"/>
    <Param name="maintainer" value="all"/>
    </Url>
    <LongName>Alpine: Search packages</LongName>
    <Image height="16" width="16" type="image/png">https://alpinelinux.org/favicon.ico</Image>
    <InputEncoding>UTF-8</InputEncoding>
</OpenSearchDescription>

Thanks and greetings
Leo

They are hidden even when I want to select the text from the message popup itself.

(Tested in Chrome 49 on Windows 7 x64)

This should make it easier to find contents when a package exists in multiple repositories.

It would be nice to have autolinking URLs in message popups, so we could simply click such link. Bells and whistles kind of thing, I guess, but would be useful for people browsing /flagged that are not maintainers (as maintainers get messages in their mailboxes).

Remember to use rel="nofollow" in a tag if ever implementing that.

the contents and packages related templates are primarily using the triple braced interpolation which does no html escaping, when typically they should be using the double braced interpolation that atuomatically performs escaping.

quotes and html characters in values from form inputs or package metadata can wreck the output. An example of this already exists without any maliscious input, the maintainer select options has a piece templated out like:

<option  value="Steffen Lange">Steffen Lange</option>
<option  value="Stuart Cardall">Stuart Cardall</option>
<option selected value="Stuart Cardall <[email protected]> Cameron Banta">Stuart Cardall <developer...</option>
<option  value="Sören Tempel">Sören Tempel</option>
<option  value="Ted Trask">Ted Trask</option>

notice that the < and > characters aren't being transformed into > and < where appropriate - a quote would not either, as seen if we put a value with a quote in the packages form (here I've inserted the alpine logo into the middle of the page by crafting the query):

https://pkgs.alpinelinux.org/packages?name=%22%3E%3Cimg+src%3D%22https%3A%2F%2Fpkgs.alpinelinux.org%2Fassets%2Falpinelinux-logo.svg%22%3E&repo=all&arch=x86_64&maintainer=all

luckily modern browsers are good at detecting reflected XSS, so its not easy to use this to execute arbitrary javascript. But a browser wouldn't be able to detect scripts that come from maliscious package information. If i was able to sneak in an evil package author, description or url into the apk indexes these pages would display it.

i would imagine you actually want to use the double braces in your templates for everything except your header and footer includes.

PS I know nothing about lustache other than what i read in the variables section o fthe readme: https://github.com/Olivine-Labs/lustache#variables

Currently with any version of Alpine-Linux from the Dockerhub repositories attempting to install any package with py-cffi as a dependency will return not found as it is looking for py-cffi-1.3.0 whereas it appears that on alpine-linux apk package repo it is currently version 1.4.2

https://pkgs.alpinelinux.org/package/community/x86_64/py-cffi

Is there an HTTP API available to get a list of all packages?