Thank you for taking care of this; I plan to package a new upstream version when I can, but the need to package new dependencies makes this non-trivial and due to personal circumstances I have not yet had the opportunity to handle this.
On Tue, 7 May 2019 at 04:30, Sam Hartman <hartm...@debian.org> wrote: > > Dear maintainer. > I made the following 0-day NMU of electrum. > I suspect that once you update to a new version you will not wish to > include these changes, but in the interest of awareness of your package > I wanted to make sure you were aware. > > diff --git a/debian/changelog b/debian/changelog > index 4aaaaff..c30a279 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +electrum (3.2.3-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * On startup print a warning that this version in insecure and then > + exit, Closes: #928518 > + > + > + -- Sam Hartman <hartm...@debian.org> Mon, 06 May 2019 22:11:19 -0400 > + > electrum (3.2.3-1) unstable; urgency=medium > > * New upstream release. > diff --git a/debian/patches/replace-with-security-warning.patch > b/debian/patches/replace-with-security-warning.patch > new file mode 100644 > index 0000000..e8f409e > --- /dev/null > +++ b/debian/patches/replace-with-security-warning.patch > @@ -0,0 +1,60 @@ > +From: Sam Hartman <hartm...@debian.org> > +Date: Mon, 6 May 2019 22:10:51 -0400 > +X-Dgit-Generated: 3.2.3-1.1 3afceceac2d1042645e470189c13edb4f965e7a9 > +Subject: Replace with security warning > + > +On startup print to GUI and stdio a security warning and then exit. > + > +--- > + > +--- electrum-3.2.3.orig/electrum/electrum > ++++ electrum-3.2.3/electrum/electrum > +@@ -1,4 +1,4 @@ > +-#!/usr/bin/env python3 > ++#!/usr/bin/python3 > + # -*- mode: python -*- > + # > + # Electrum - lightweight Bitcoin client > +@@ -30,13 +30,42 @@ script_dir = os.path.dirname(os.path.rea > + is_bundle = getattr(sys, 'frozen', False) > + is_local = not is_bundle and os.path.exists(os.path.join(script_dir, > "electrum.desktop")) > + is_android = 'ANDROID_DATA' in os.environ > ++try: > ++ import PyQt5 > ++except Exception: > ++ sys.exit("Error: Could not import PyQt5 on Linux systems, you may > try 'sudo apt-get install python3-pyqt5'") > + > ++from PyQt5.QtGui import * > ++from PyQt5.QtWidgets import * > ++from PyQt5.QtCore import * > ++import PyQt5.QtCore as QtCore > + # move this back to gui/kivy/__init.py once plugins are moved > + os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) > + '/electrum/gui/kivy/data/' > + > + if is_local or is_android: > + sys.path.insert(0, os.path.join(script_dir, 'packages')) > + > ++security_message = ''' \ > ++This version of Electrum is vulnerable to malicious code inserted by > ++attackers and is being actively exploited to try and convince users to > ++give their private credentials to attackers. See > ++https://bugs.debian.org/921688 for details. Until the version in > ++Debian is updated, please see https://electrum.org/download.html > ++''' > ++sys.stderr.write(security_message) > ++ > ++ > ++from electrum.gui.qt.util import MessageBoxMixin > ++class Window(QMainWindow, MessageBoxMixin): > ++ > ++ def __init__(self, *args, **kwargs): > ++ super().__init__(*args, **kwargs) > ++ self.show_warning(msg = security_message, title = "THIS > APPLICATION is INSECURE") > ++ > ++ > ++app = QApplication(["electrum", "gui"]) > ++window = Window() > ++sys.exit(2) > + > + def check_imports(): > + # pure-python dependencies need to be imported here for pyinstaller > diff --git a/debian/patches/series b/debian/patches/series > new file mode 100644 > index 0000000..8ffe66a > --- /dev/null > +++ b/debian/patches/series > @@ -0,0 +1 @@ > +replace-with-security-warning.patch > diff --git a/electrum/electrum b/electrum/electrum > index dd35c35..8c5ef37 100755 > --- a/electrum/electrum > +++ b/electrum/electrum > @@ -1,4 +1,4 @@ > -#!/usr/bin/env python3 > +#!/usr/bin/python3 > # -*- mode: python -*- > # > # Electrum - lightweight Bitcoin client > @@ -30,13 +30,42 @@ script_dir = > os.path.dirname(os.path.realpath(__file__)) > is_bundle = getattr(sys, 'frozen', False) > is_local = not is_bundle and os.path.exists(os.path.join(script_dir, > "electrum.desktop")) > is_android = 'ANDROID_DATA' in os.environ > - > +try: > + import PyQt5 > +except Exception: > + sys.exit("Error: Could not import PyQt5 on Linux systems, you may try > 'sudo apt-get install python3-pyqt5'") > + > +from PyQt5.QtGui import * > +from PyQt5.QtWidgets import * > +from PyQt5.QtCore import * > +import PyQt5.QtCore as QtCore > # move this back to gui/kivy/__init.py once plugins are moved > os.environ['KIVY_DATA_DIR'] = os.path.abspath(os.path.dirname(__file__)) > + '/electrum/gui/kivy/data/' > > if is_local or is_android: > sys.path.insert(0, os.path.join(script_dir, 'packages')) > > +security_message = ''' \ > +This version of Electrum is vulnerable to malicious code inserted by > +attackers and is being actively exploited to try and convince users to > +give their private credentials to attackers. See > +https://bugs.debian.org/921688 for details. Until the version in > +Debian is updated, please see https://electrum.org/download.html > +''' > +sys.stderr.write(security_message) > + > + > +from electrum.gui.qt.util import MessageBoxMixin > +class Window(QMainWindow, MessageBoxMixin): > + > + def __init__(self, *args, **kwargs): > + super().__init__(*args, **kwargs) > + self.show_warning(msg = security_message, title = "THIS > APPLICATION is INSECURE") > + > + > +app = QApplication(["electrum", "gui"]) > +window = Window() > +sys.exit(2) > > def check_imports(): > # pure-python dependencies need to be imported here for pyinstaller > -- mithrandi, i Ainil en-Balandor, a faer Ambar