Currently package archives are updated every five minutes. This is quite slow, and can lead to fair amount of delay for when things like a packages version are seen as updatable by programs like Tap. Considering the size of the MPR, we should be able to comfortably decrease that time to something like a minute or maybe even 30 seconds.

Introduction

PKGBUILD specifications (understandably) require maintainers to add an email address so that they can be reached in case of issues.

Unfortunately, this means that spam bots can find the email addresses and add them to their lists. Once an address has been added to one of these lists, it's unlikely it will ever stop getting spam.

What probably won't work

Replacing @ with at, and other methods of obfuscation. Bots are already prepared to deal with these methods.

Proposals

Proposal 1 - Proxy addresses

This would be a simple way of protecting the maintainer's email address while ensuring the maintainer can still be contacted.

This would involve adding the necessary capabilities to MPR to allow maintainers the use of an email proxy service, provided by the MPR itself. Maintainers could then change the target email address in their profile and would change when packages change hands.

It could look like [email protected]

Proposal 2 - MPR provides an email address

MPR could provide email addresses to maintainers with just enough space to receive emails concerning their maintained software.

This could be automated so that creating an account in the MPR automatically sets up an account for you accessible using Rouncube/whatever it is popular these days.

Proposal 3 - No email address required

The simplest of all. Removing the requirement of adding your email address to the body of the PKGBUILD file and instead provide a "Contact" link on MPR which directs users to a form for people to report issues/problems.

A variation of this proposal could be changing the requirement from "Email address must be public" to "A form of contact must be provided" and allow users to request contact via Matrix or other platforms. This solution is not as neat and tidy as the others.

Copied from https://github.com/makedeb/mprweb-historic/issues/3

I'm aware that some of the devs are already aware of this issue, but I didn't see it marked down so I'm taking the opportunity to. There's a bug among some MPR packages that make them incapable of being marked out of date, one of which being Android Studio. If extra information is required, I'll try my best to provide it.

All MPR pages under https://mpr.makedeb.org/cgit/ link to the wrong favicon, causing it to not work.

Steps to reproduce:

1. Log in to mprweb
2. Go to account settings
3. Check "Hide Email Address" and enter password where required
4. Click button to save, and be met with ISE

Not sure what's going on here, but I'll be happy to provide information where I can.

I have created an mpr key as and set up the config as follows

Host mpr.makedeb.org
  IdentityFile ~/.ssh/mpr
  User mpr

I have added the mpr.pub in the configuration, but I still can't connect via ssh. What else could be wrong?

Remove the debug info from prod

➜  bitwise-git git:(master) git push
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Delta compression using up to 2 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (2/2), 217 bytes | 217.00 KiB/s, done.
Total 2 (delta 1), reused 0 (delta 0), pack-reused 0
remote: warning: .SRCINFO unchanged. The package database will not be updated!
remote: 10:38:07 DEBUG | aurweb.db: DBName(mprweb): mprweb
To ssh://mpr.hunterwittenborn.com/bitwise-git.git
   d2b7e7a..4371669  master -> master
➜  bitwise-git git:(master) 

Attempting to run git clone 'https://mpr.hunterwittenborn.com/tap' or anything similar results in a 502 error from Git. The same result happens regardless if the .git suffix is at the end of the URL or not.

@gamer4life1 reported that the SSH interface for Git is working just fine in the support rooms, so it appears to be an issue with the string used to check for Git URLs (more testing is revealing an issue with possibly the git or smartgit container).

Cgit is quite limited in how we can customize it, so we should replace Cgit with a custom Git interface in the web UI.

The MPR used to be hosted at https://mpr.hunterwittenborn.com, so we should point that URL to the MPR server.

The web interface already redirects correctly, but we do that redirect from the homeserver instead of the MPR server itself, so SSH still doesn't connect properly.

The sources URLs and the git clone URLs overlap on package pages, like on https://mpr.makedeb.org/packages/electronmail-bin

Steps to reproduce:

1. Open https://mpr.hunterwittenborn.com/login?next=/
2. Enter Credentials
3. Encounter a 500 internal server error

The only error mentioned is that it's "Unable to generate a unique session ID in 36 iterations."

one reminder per day should be more than enough

When pressing to ssh git clone url it does try to open it instead of copying it to the clipboard as it should.

We'd like to start adding authenticated calls to the API interface, so we should start by adding a way to create and manage API keys.

Currently, self-deleted comments are treated like TU deleted comments, in which they aren't actually deleted from the mprweb server, but merely hidden to everyone but the TU and the original poster (with the ability to be unhidden). This is somewhat problematic from a privacy perspective, so an option to truly delete self-deleted comments would be appreciated.

Exactly as the title says, the mprweb GitHub repository currently has no issue forms.

Looking at the implementation I just added, I realized that we aren't hashing API keys, when we should to protect against incidents such as security breaches.

Clone URL is reported as localhost, example at https://mpr.makedeb.org/cgit/aur.git/?h=librewolf-bin

currently

before the mprweb Python update at least the authors did work

When we go to, https://mpr.makedeb.org/packages and start scrolling till the page ends then we have to go back up to go to the next page in the list.
Add page number list at the bottom as well

This is a feature used in pacman packages, and doesn't translate to dpkg or APT.

Copied from https://gitlab.archlinux.org/archlinux/aurweb/-/issues/179

I recently discovered that the GitHub API has an endpoint to get some metadata about their servers among other info.

It would be cool if the aurweb RPC interface had a feature like such as well, which could list things such as the instance's SSH fingerprints and the statistics for the server (which are seen on the homepage in the bottom right):

curl 'https://aur.archlinux.org/rpc/?type=meta'

{
  "ssh_fingerprints": {
    "ed25519": "SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4",
    "ecdsa": "SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI",
    "rsa": "SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8"
  },
  "statistics": {
    "packages": 73084,
    "orphan_packages": 8679,
    "packages_added_past_7_days": 237,
    "packages_updated_past_7_days": 1568,
    "packages_updated_past_year": 25152,
    "packages_never_updated": 18336,
    "registered_users": 89307,
    "trusted_users": 59
  }
}

The cron scripts for automatic out of date notifications currently isn't working. Furthermore, it doesn't look like some of the out-of-date database fields for packages are being cleared when a package is updated.

Links for the old Cgit UI could be active across the web, so we should add some NGINX redirects to handle the new locations of the PKGBUILDs.

in earleir ui we had an option to select multiple packages and do some operation like give vote or retract vote or disown and such operations. request to implement it in this ui as well.

If the MPR ever scales, it'll be important to have a proper, and more importantly, secure way to disclose vulnerabilities.

• Set up an email for disclosing vulnerabilities
• Publicly share a GPG key for encrypting disclosure

It would be nice to have a button that could bring up a window that showed instructions for installing packages with various MPR helpers.

Endpoints like /packages-meta-ext-v1.json.gz and /users.gz currently aren't returning any data.

Repology is a fantastic source of information on package versions. We should add support to automatically mark packages as out of date when Repology tells us the MPR version of a package is out of date.

This should also be an opt-in feature though, since Repology could get things mixed up with common package names.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update all dependencies (Authlib, Hypercorn, Jinja2, Markdown, SQLAlchemy, Werkzeug, actions/checkout, aiofiles, aiohttp, alembic, asgiref, autoflake, bcrypt, beautifulsoup4, black, bleach, coverage, email-validator, fakeredis, fastapi, feedgen, filelock, flake8, gunicorn, highlight.js, httpx, isort, itsdangerous, lxml, makedeb-srcinfo, mysqlclient, orjson, posix-ipc, prometheus-fastapi-instrumentator, protobuf, pygit2, pytest, pytest-asyncio, pytest-cov, pytest-tap, pytest-xdist, python-multipart, redis, requests, sentry-sdk, uvicorn)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

the current search criteria box takes up a lot of space. make it hidden by default and tagglable to show it or something similar.

It'd be nice if there was a way to force all commits for a package to be signed by the package's maintainer. This could be nice so that maintainer's can add an extra layer of security that others won't be able to push to their package's repositories.

We should add support to receive things like notifications on Matrix

The makedeb homepage is using a certain style that I'd like to start using across the MPR and docs so that end users have a more cohesive experience.

We're probably gonna completely redesign the layout of the homepage too while we're at it, as well as make the site mobile-friendly.

Routes to finish:

• Header
• Footer
• /
• /account/{username}
• /account/{username}/comments
• /account/{username}/edit
• /accounts
• /addvote
• /login
• /packages
• /packages/{name}
• /passreset
• /pkgbase/{name}
• /pkgbase/{name}/comaintainers
• /pkgbase/{name}/comments/{id}/edit
• /pkgbase/{name}/comments/{id}/form ^{(Removed, as no longer needed)}
• /pkgbase/{name}/delete
• /pkgbase/{name}/disown
• /pkgbase/{name}/flag
• /pkgbase/{name}/flag-comment
• /pkgbase/{name}/merge
• /pkgbase/{name}/request
• /pkgbase/{name}/voters
• /raisefivethree
• /register
• /requests
• /requests/{id}/close
• /tos
• /tu
• /tu/{proposal}
• /rpc - Documentation for the RPC interface
• 404
• cgit interface ^{Going to deprecate in favor of a custom interface}

New routes:

• /about - Instance information, such as SSH keys, number of packages, and other stats
• /pkgstats - Instance containing information such as out of date packages and the list of the user's packages
• /pkgbase/{name}/git - Git information about packages

Post-port steps (to do after routes are finished, but before merging):

• Fix unit tests
• Remove uneeded templates ^{Will do later}
• Move all templates back to {% block %} system. ^{Will do later}

Image of the error:

How to reproduce

• select some package
• issue an orphan request
• go into requests as TU
• close / reject orphan request
• go back to the package and press disown package
• press disown
• get error as shown above

Expected behaviour would be that disowning a package should always work regarding of any pending or rejected orphan requests.

We talked in Matrix about adding a button when logged in and viewing your package, that triggers the Talus API (preferably authenticated). This API automatically adds a package to @PrebuiltMPR's build system (via /add endpoint) and pushes it to its repo. It also will have an endpoint that returns the ci badge, so that it can be displayed.
This will act as a CI for packages as well as being an auto-build system. It can help maintainers by quickly informing them (runs every 24h) whether their packages have broken.

Thanks,
Leo

The mprweb allows users to enter passwords longer than 72 bytes, but truncates it to 72 bytes. This is a limit of bcrypt, but there is no pre-hashing or notice given to resolve this.

i mean these seperate sections.

As of current, there aren't any icons displayed for the latest or popular packages on the homepage. They were there previously before the UI port, so we should add them back.

The RSS icons on the MPR homepage are still colored blue when they should be orange:

Sometimes mprweb and the MPR as a whole goes down with no sanity checks besides checking the Matrix rooms, and a status page could go a long way in alleviating that.

mprweb could tally the cloning of any given package, giving users and package maintainers a much more realistic at-a-glance number to determine package popularity than the current option.

In the package list a button should be there to easily sort all items and toggle as well, like ascending descending, high votes low votes, maintainer name, alphabetical sort . Additional functionality to the search criteria dialogue box.