Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 46
  1. #21  
    Don't get me wrong. Craig is reporting real bugs and problems, there is no question about that. And his bug reports are usually of high quality. He does great work and contributes lots and lots of time and energy to the community. We have chosen to point http://install.preware.org to an article that he has written.

    It's the additional inflammatory commentary after the bug reports which is unnecessary in my opinion. I know that the intention is not to inflame things - I'm simply reporting the effect of such comments based on my observation of the interactions and responses.

    Trying to push developers who are volunteering their time and effort with remarks like those I quoted above will have the opposite of the desired effect.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  2. #22  
    I'm in agreement that his bug reports are pretty good. They aren't as reduced down to simplified testcases as I'd like, but since he's seeing combined problems they are fine. I mentioned the format simply because it's the best way to convey information to developers. In practice, I like to have face to face conversations and debug together. That's hard to do on a forum.
    I'm both super! ... and a doer!
  3. #23  
    I just want to add a little something here. I won't be long.
    As you guys might know, I don't get involved with all the Preware, tweaks, patches and so on.
    But:
    I used to design and build websites for people and for businesses (i.e. - car dealerships, restaurants etc.).
    I found that my customers always seemed to push, push, push for this and that and it really got very annoying.
    But as annoying as it was to hear complaints (most of the time, petty), I still wanted to hear them.
    This was because I wanted to know every little detail of what they thought of my work. I took great pride in my creations and I just had to know what everybody's opinion was.
    But I had to stop because it was impossible to make everybody happy, especially when there were several ppl in charge of a business. (It's a good thing this was just something i did on the side)
    Moral of my story is:
    I know that people like RWhitby, Jason and other faceless, nameless people work 24hrs a day to do things for us and we just keep taking and taking and taking, while expecting more and more and more.
    That being said; I think they should want to know everything about our experience and/or problems we have with their product. Actually, I shouldn't even say "product", because we don't pay them for it. (Donations don't count, because that's done voluntarily)
    ---
    @Craig (milominderbinder)(how'd you come up with that username btw? )
    You're also one of those people that work very hard to help us. To keep a forum of this magnitude under control is truly a big deal.
    ---
    We're all in this together, albeit on different levels. It's only to help complete strangers, people we will never meet, or even know if they walked right in front of us.
    Last edited by dbdoinit; 01/23/2010 at 07:47 PM.
  4. #24  
    I will just say this:

    WebOS, in it's current state of development, is not meant to be capable of having themes. We, as open source developers, have found ways to make it "themeable". However, there was never a collaboration of a set of governing rules for creating themes. The closest we got to this was AnOutsider's work at prethemer.com. I remember him calling for a meeting amongst all the interested parties to create a set of rules. This meeting never came about. So what ended up happening was everyone did their own thing without regard for each other. AnOutsider did a very good job of trying to stay safe. In fact, I know he incorporated APT into his themes. Also, I know Jason uses APT for his Theme Creator. Therefor, the two major theme individuals use the current APT. So they both were the closest we got to a common set of rules.

    It is for this reason that all major parties in the Theme and Patch areas have decided to get together to improve Themes. It is the goal of this joining of forces to bring themes underneath AUPT (Auto Update Patch Technology). This will hopefully eliminate all the problems you have stated above, except the ones of user error for "backswiping" during install. Well, even that one should be able to be uninstalled with AUPT. EPR 2.0 is coming too, which will also fix a lot of issues.

    Themes and patches have never played well with each other. Hopefully once themes are brought into AUPT, this will no longer be the case.
    dBsooner
    WebOS-Internals Member and Developer
    Donations Appreciated!

    Keep up to date with webOS-Patches via Twitter: @dBsooner

    Browse Patches @ WebOS-Patches Web Portal - (Trac)
    Submit New Patches @ WebOS-Patches Web Portal
    Submit Updated Patches @ WebOS-Patches Web Portal
  5. #25  
    Thanks dBsooner,
    I learned early on not to even bother with themes. The patch and homebrew work has been indispensable for me (and all of us). It's really great that you all are still working out ways to improve things. If you want any testing help, please feel free to PM me and I'll give you my email. -- Bob
    I'm both super! ... and a doer!
  6.    #26  
    Guys,

    I do not mean to be inflamatory.

    The abillity to embed a malicious patch in a theme created a security breach. The clock has been ticking for months.

    I am also concerned that Preware is not able to offer a required Luna Restart.

    Both are important. One is urgent.

    - Craig
  7. #27  
    Quote Originally Posted by milominderbinder View Post
    The abillity to embed a malicious patch in a theme created a security breach. The clock has been ticking for months.
    Agreed. Please report this to the submission sites (PreCentral.net and PreThemer.com) that accept patches as part of the theme feeds so that they can stop this vulnerability at the source (since there are many more ways to install themes than just Preware, so Preware is not the place to fix this).

    I am also concerned that Preware is not able to offer a required Luna Restart.
    Eric has already answered this above. Repeating it again and again and again will not change the plans. It will be done when AUPT is released.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  8. #28  
    Quote Originally Posted by milominderbinder View Post
    Guys,

    I do not mean to be inflamatory.

    The abillity to embed a malicious patch in a theme created a security breach. The clock has been ticking for months.

    I am also concerned that Preware is not able to offer a required Luna Restart.

    Both are important. One is urgent.

    - Craig
    Preware CAN offer a Luna restart. We chose to omit that temporarily because we wanted to allow users to install multiple patches without having to restart between each one. Because a restart would force the user to reload Preware each time. That would have taken an eternity to install 20 patches. The good news is that the new versions of Preware include an option to select 'Later' at the Luna restart prompt. Therefor, we will be uncommenting the RequiresLunaRestart flag.

    As for "hiding malicious patches in themes", this is not as pressing of an issue as you state. I am 100% certain AnOutsider used to look over the themes submitted to his site before he allowed them to be built. This creates a layer of security you are not accounting for. It is the same in the WebOS-Patches world. I, or another WebOS Internals admin, look over the patch file prior to accepting it for build. The question is, does Precentral have this same sort of security check? I do not believe it does. So, in turn, an issue could also be in the way PC accepts the Themes for build "blindly" per se. **Edit: I stand corrected. I didn't know PreThemer auto accepts now. So does PC. Difference is, PC's themes are built by the WebOS Internals autobuilder which strips out the patch files. PreThemer builds his own ipkgs, which would mean the patches probably aren't stripped.

    And for the themes that you can only download the theme package and install it via WOSQI, these can't be controlled anyway. These themes may not follow the standards at all. These would be left up to the individual user of the theme to check for security. It is not known at this time how these style theme packages will fit into the overall AUPT adaption. I await a response from the others.

    -Daniel
    Last edited by dBsooner; 01/23/2010 at 11:13 PM.
    dBsooner
    WebOS-Internals Member and Developer
    Donations Appreciated!

    Keep up to date with webOS-Patches via Twitter: @dBsooner

    Browse Patches @ WebOS-Patches Web Portal - (Trac)
    Submit New Patches @ WebOS-Patches Web Portal
    Submit Updated Patches @ WebOS-Patches Web Portal
  9. #29  
    Quote Originally Posted by dBsooner View Post
    The question is, does Precentral have this same sort of security check? I do not believe it does. So, in turn, an issue could also be in the way PC accepts the Themes for build "blindly" per se.
    The packaging scripts for themes from PreCentral that end up as ipks on preware.org do not support patches. Specifically for reasons of security.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  10. #30  
    Quote Originally Posted by rwhitby View Post
    The packaging scripts for themes from PreCentral that end up as ipks on preware.org do not support patches. Specifically for reasons of security.

    -- Rod
    Yes, I understand that. But you are referring to the packages being made for distribution through Preware, correct? What about those that are submitted to the gallery and are "downloadable" via a browser to install in WOSQI? Are the patch files stripped from there as well?
    dBsooner
    WebOS-Internals Member and Developer
    Donations Appreciated!

    Keep up to date with webOS-Patches via Twitter: @dBsooner

    Browse Patches @ WebOS-Patches Web Portal - (Trac)
    Submit New Patches @ WebOS-Patches Web Portal
    Submit Updated Patches @ WebOS-Patches Web Portal
  11.    #31  
    I have published themes in Preware from PreCentral and PreThemer. PreCentral reviewed me prior to approving me as a theme developer. It took a couple of days.

    PreThemer let me post themes instantly without reviewing me or the themes. They went straight into Preware in less than 30 seconds.

    - Craig
    Last edited by milominderbinder; 01/23/2010 at 10:15 PM.
  12.    #32  
    Quote Originally Posted by rwhitby View Post
    The packaging scripts for themes from PreCentral that end up as ipks on preware.org do not support patches. Specifically for reasons of security.

    -- Rod
    You just make the zip of your theme with it's patch in PreThemer and upload that to PreCentral.

    But as you point out it is PreThemer that has no security.

    Would one of you try this?

    Do a little patch that when you open the phone app puts "I pown you" on screen. Register at PreThemer. Download a zip of one of my patches from Prethemer. Then post it as your own with the patch. I bet it is in Preware in under a minute, malware and all.

    - Craig
    Last edited by milominderbinder; 01/23/2010 at 10:59 PM.
  13. #33  
    Quote Originally Posted by milominderbinder View Post
    You just make the zip of your theme with it's patch in PreThemer and upload that to PreCentral.

    In seconds both feeds are in Preware.

    - Craig
    This is the script which converts PreCentral theme zip files into ipkg files in the precentral-themes feed in Preware: git.webos-internals.org Git - preware/build.git/blob - scripts/xml-theme-converter.py

    Please point to the lines which creates the postinst commands to install a patch. (Hint: I wrote the script, so I know they are not there)

    I'm done with this thread until it returns to fact-based observations and experiences.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  14. #34  
    Quote Originally Posted by milominderbinder View Post
    You just make the zip of your theme with it's patch in PreThemer and upload that to PreCentral.

    But as you point out it is PreThemer that has no security.

    Would one of you try this?

    Do a little patch that when you open the phone app puts "I pown you" on screen. Register at PreThemer. Download a zip of one of my patches from Prethemer. Then post it as your own with the patch. I bet it is in Preware in under a minute, malware and all.

    - Craig
    Did you not see in an earlier post where I agreed that there is a vulnerability in PreThemer, and suggested you talk to them about it?

    Is there a reason why you continue to repeat the same assertion, even after it has been agreed?

    Since Palm added type:game, there are ways to inject malware into *every* homebrew feed. The Preware developers are already working on ways to detect and remove it. Replying to repetitive posts about it simply detracts from that constructive effort.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  15.    #35  
    Rod,

    Sorry.

    I know that all of this has been discussed for months. I felt an obligation to try one last time.

    I will not say anything more.

    - Craig
  16. #36  
    Quote Originally Posted by milominderbinder View Post
    Rod,

    Sorry.

    I know that all of this has been discussed for months. I felt an obligation to try one last time.

    I will not say anything more.

    - Craig
    The things you are reporting are well known by the Preware developers. By repeating them over and over you give the impression that we don't care about them, whereas I think you'll find we're the ones who have displayed the most attention to homebrew security.

    You should focus your efforts on the upstream sources (PreCentral and PreThemer) and convince them to not allow type:game in uploaded ipkgs, and to not allow patches in uploaded themes.

    Preware is not the only way to install ipkgs. Unless you stop the potential for malware at the source (the upstream submission sites), then just stopping it in Preware is not sufficient. We're going to do that anyway (as you say, we've known about this for weeks, but there's only so many free hours in each week for unpaid volunteer work), but you should focus your energies on convincing the upstream feeds if you want to make a positive impact.

    -- Rod
    WebOS Internals and Preware Founder and Developer
    You may wish to donate by Paypal to donations @ webos-internals.org if you find our work useful.
    All donations go back into development.
    www.webos-internals.org twitter.com/webosinternals facebook.com/webosinternals
  17. #37  
    Quote Originally Posted by milominderbinder View Post
    Rod,

    Sorry.

    I know that all of this has been discussed for months. I felt an obligation to try one last time.

    I will not say anything more.

    - Craig

    The process to test AUPT is very time consuming, a single iteration can take over 3 hours. It's taking some time, but AUPT is right around the corner.

    -Eric G

    WebOS Internals Developer.
    Follow me on Twitter for updates to my projects: | Virtual Keyboard | wIRC | SuperTux | AUPT | KeyBoss | freeTether |

    Donate
  18. #38  
    I just successfully removed all of my "stuck" nonfunctioning patches from Preware by doing the following. Works like a charm and will clean these out of Preware so you can reinstall the ones you actually want. Here you go:

    1) Write or remember all of these "stuck" or "hanging" patches that show up unnecessarily on PreWare.
    2) Now open WOSQI 2.96 and while in Dev Mode/Just Charging to to the "Tweaks" menu and then to the "Online Repository" tab.
    3) Using the Repository, INSTALL all of the patches you wrote down in 1). They should act as if they are being normally installed. Go through and Install all of them.
    4) Then, without doing a Luna Restart, run the EPR utility at bottom left of the box.
    5) After the EPR has been run and your Pre has rebooted, run Preware and you should now have NO patches showing in Preware. You may have to do this more than once to get all patches off.
    6) Go ahead and reinstall the patches you want...they should all install very smoothly.

    I did this exact process and it worked very well in getting annoying stuck patches off Preware.

    Hope it helps....
  19. #39  
    Quote Originally Posted by rwhitby View Post
    The things you are reporting are well known by the Preware developers. By repeating them over and over you give the impression that we don't care about them, whereas I think you'll find we're the ones who have displayed the most attention to homebrew security.

    You should focus your efforts on the upstream sources (PreCentral and PreThemer) and convince them to not allow type:game in uploaded ipkgs, and to not allow patches in uploaded themes.

    Preware is not the only way to install ipkgs. Unless you stop the potential for malware at the source (the upstream submission sites), then just stopping it in Preware is not sufficient. We're going to do that anyway (as you say, we've known about this for weeks, but there's only so many free hours in each week for unpaid volunteer work), but you should focus your energies on convincing the upstream feeds if you want to make a positive impact.

    -- Rod
    Not a developer, here...rather a very committed user who has been spending way more hours on these forums than my wife would care to admit (okay, or I). I have made my Pre so much better than what Palm released because of everything I've learned in these forums and I must say you all deserve all our respect and donations (yes, I've donated) for all you have done to make this the best phone in the world. That being said, I have stayed away from patches because they messed up my phone to the point of Doctoring it in the past and I'm just wondering why would we let PreCentral & Prethemer into the Preware feeds if they represent such a huge risk? I'm just asking....
    Don't get me wrong here....between the gang at WebOS Internals and WebOS Quick Install (aka, Jason) we all owe you a huge debt (yes, I'll be donating again, lol!). Rod, I'm not sure why you're so good to us because last I heard they don't even offer the phone in your area...I assume you know what you're doing but for a novice like me help me understand why either of you (Preware or WebOS Quick Install) would allow themes in the feeds or theming in general if they're that big of risk? P.S. Thank you, Jason, for the ability to change my boot logo...I love it! Thanks, Rod, DBSooner, Milo, and all the rest for all you do to make this the place to be.
    Jim
    If "If's" and "But's" were candy and nuts we'd all have a Merry Christmas!


  20. #40  
    I'd like just clear up a few things about my zip theming format.

    Zip theming format applies included .patch files AS patches. Meaning they'll show as removable patches on your device, separate from theme.

    Moreover, ALL patches will throw error if they're incompatable, luna reset or no. For example, a 5x5 icons patch can't be applied over a 4x4 icon patch

    I WILL be transitioning from zip to a new standard recently determined in collaboration with PreThemer and WebOS-Internals. As far as has been determined thus far, it'll be ipk-based and patches will be combined into a single master patch tied to a theme. Not my personal ideal, but it's what I've been told is best for the AUTT format. Maybe this conversation will spur revisions in the spec.
    If you've liked my software, please consider to towards future development.

    Developer of many apps such as: WebOS Quick Install, WebOS Theme Builder, Ipk Packager, Unified Diff Creator, Internalz Pro, ComicShelf HD, LED Torch, over 70 patches and more.

    @JayCanuck @CanuckCoding Facebook
Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions