On Mon, May 18, 2020 at 7:15 PM Yasha Karant <[log in to unmask]> wrote:
>
> On 5/18/20 4:54 AM, Nico Kadel-Garcia wrote:
> > On Mon, May 18, 2020 at 2:13 AM Akemi Yagi <[log in to unmask]> wrote:
> >> On Sun, May 17, 2020 at 8:18 PM Yasha Karant <[log in to unmask]> wrote:
> >>> I have found gscan2pdf on the NUX repo, but installing this repo
> >>> evidently will add and replace many utilities, etc., that may not be
> >>> wise.  gscan2pdf runs fine on Ubuntu 18 LTS as I just put in on my
> >>> wife's 2-in-1 that does not have tablet write-on support under SL 7 as
> >>> far as I can determine.  Is there any SL 7.8 compatible gscan2pdf that
> >>> works?
> >>>
> >>> Take care.  Stay safe.
> >>>
> >>> Yasha Karant
> >> I've been using gscan2pdf from the nux-dextop repository without any
> >> issue. Also, this repository, together with EPEL, should not overwrite
> >> any base package.
> >>
> >> Akemi
> > I'm personally reluctant to trust third party RPM repositories from
> > Romania, they have a very active and abusive cracker community.but the
> > SRPM from
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__li.nux.ro_download_nux_dextop_el7_SRPMS_gscan2pdf-2D1.2.5-2D2.el7.nux.src.rpm&d=DwIBaQ&c=B_W-eXUX249zycySS1AyzjABMeYirU1wvo9-GmMObjY&r=Z7xHp2tIJsvAE2FtPxl_lynvf4hA_FJ8mKsaIgvY6Dk&m=knBIe0JxmSUI-af995EwuorG9qw79W1SDujA9o1-DW4&s=KAdL127uDliK692ZlpFMVwEGC9HREwkQ80agoYvObHc&e=
> > looks clean and builds well.

> Niko.

Agggh!!!! It's Nico! "Niko" is the name of a very friendly malamute on
Youtube who plays with a baby a lot. "Nico" is the Cuban shortening of
"Ignacio".

> If you are building from a src RPM, unless you read the source code or
> have a very good automaton code scanner (as done by some of the
> clandestine and other security agencies),

Binary RPMs from people I don't know or have strong confidence in
their history, such as Scientific Linux, should be treated
skeptically. You can hide a *lot* more nonsense in them by compiling
from source other than the SRPM. I've seen developers do this when
they didn't want to reeveal their secrets, they used "nosrc" RPM
building techniquest or built the SRPM from different source than
their RPMs. For Romanian hosts.... they have an active cracker
community there that has a fairly bad reputation.

> no "malware" embedded in the source? For example, a "clean" source may

I don't without a review. Sourceforge is pretty good about exposing
code and building tarballs from *that*, so hosting on Sourceforge gets
them a few brownie points. I didn't have time yet, nor was I planning
on spending time, to review this source tarball.

> If you have built the RPM and are reasonably confident that it is
> "clean", could you kindly post or supply the exact build script that you
> used, including any other RPMs that are required but that come from
> trusted repos?

I publish dozens of RPM building wrappers, such as the Makefile and
.gitgnore associated with https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_nkadel_nkadel-2Dgit226-2Dsrpm&d=DwIFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=Hiw5XLVZkcBPm98Gp1evBAsvE2ZYq1gfqUQaz81_1jA&s=2byDHtV24HrvsWgrO6szuyaoGXpHeWRdU3oaOlobcKg&e= 
. Do feel free to play with those, I use the same structure for many
other git repos to build RPMs and SRPMs.

> I generally trust SL (and EPEL, ElRepo, Oracle, Canonical, Mozilla,
> Libreoffice, etc.), but I get worried about repos and sources from
> nation-states or entities with large scale compromise organizations
> (e.g., professional "organized criminial" enterprises or clandestine
> services "backdoors").

Well, yes. It's why I disagree with a former colleague who gushed
about how easy it was in his Ubnuntu environments to just add apt
repositories from anywhere, and proceeded to do so.