Lahwaacz developed and hosts https://jlk.fjfi.cvut.cz/arch/manpages/, which is used on the ArchWiki for links to man pages, e.g. pacman(8). See Template talk:Man#Sources and the GitHub repository. I think this should be adopted as an official Arch Linux project if only for a nicer domain name (man.archlinux.org).

https://jlk.fjfi.cvut.cz/arch/manpages/

Upstream https://github.com/lahwaacz/archweb_manpages

After the tablesorter update clicking once on a column to sort it a blue square is shown around the "clicked" corner. This wasn't the case in the previous version and should be disabled by either CSS or a configuration option.

Either by using repology, https://release-monitoring.org/ or nvchecker

See packages/package_details.html:33

Maybe just remove the inline script and add target="_blank" to the <a>?

EDIT:
Similar thing happens in the django admin. When changing user {permissions, groups}, SelectBox.js tries to apply an inline style. This causes the change to the user to fail.

Resolve the "Error: Bad value screen, projection for attribute media on element link: Deprecated media type projection. For guidance, see the Media Types section in the current Media Queries specification." error for all our css includes.

Talking about this on IRC lead to the conclusion that it would be easier to just integrate the mail sending directly into archweb. Thus the changes above are not needed, but there needs to be some service that monitors the mirror check data and sends notifications like this:

• notify about "out of sync" if the lastsync time is older than 72hours
• notify about "unreachable" if the lastsync file could not be fetched for 24hours
• notify if the lastupdate file is 72 hours older than the lastupdate file on our master mirror

A potential improvement is to be able to set the timeouts for each mirror on their own (some mirrors sync every minute so 1 hour delay might be more appropriate than 72).

If a tier 1 mirror is unreachable or out of sync, tier 2 mirrors that use this mirror should NOT receive emails about being out of sync. There is a field in the database that records the source mirror for tier 2 mirrors, but this field is often not correct due to mirrors changing their upstream without notifying us.

Templates for the email texts can be found here: https://git.server-speed.net/users/flo/arch-mirror-tools/tree/bin/generate-mirror-mail.pl

Original ticket https://bugs.archlinux.org/task/45556

Create an automatic todo list to rebuild the users packages which are signed with an now inactive key.

The modify_attributes function sets attributes for html elements since jQuery doesn't allow us to change the "type" in IE. Since IE is no longer supported and the relevant commit acf252f has been made in 2012 check if this can be rewritten.

Ideally the login page would not need jQuery anymore at all since all it does is set focus on $id_username. The same goes for the developer profile view.

Currently the profile page is cached for 10 minutes and when a user updates his profile page the cache is not invalidated.

templates/public/userlist.html:{% cache 600 dev-tu-profiles group.name %}

https://docs.djangoproject.com/en/2.1/topics/cache/#template-fragment-caching

Check if the package is a split package by comparing pkgname != pkgbase and then don't show "Click here to unflag all split packages"

Traceback (most recent call last):
File "/srv/http/archweb/mirrors/management/commands/mirrorcheck.py", line 125, in check_mirror_url
result = urllib.request.urlopen(req, timeout=timeout)
File "/usr/lib64/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/usr/lib64/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/usr/lib64/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/usr/lib64/python3.7/urllib/request.py", line 1345, in http_open
return self.do_open(http.client.HTTPConnection, req)
File "/usr/lib64/python3.7/urllib/request.py", line 1319, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib64/python3.7/threading.py", line 917, in _bootstrap_inner
self.run()
File "/usr/lib64/python3.7/threading.py", line 865, in run
self._target(*self._args, **self._kwargs)
File "/srv/http/archweb/mirrors/management/commands/mirrorcheck.py", line 238, in mirror_url_worker
log = check_mirror_url(url, location, timeout)
File "/srv/http/archweb/mirrors/management/commands/mirrorcheck.py", line 143, in check_mirror_url
if isinstance(e.reason, types.StringTypes) and
AttributeError: module 'types' has no attribute 'StringTypes'

Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib64/python3.7/urllib/request.py", line 1317, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/usr/lib64/python3.7/http/client.py", line 1229, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1275, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1224, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.7/http/client.py", line 1016, in _send_output
self.send(msg)
File "/usr/lib64/python3.7/http/client.py", line 956, in send
self.connect()
File "/usr/lib64/python3.7/http/client.py", line 928, in connect
(self.host,self.port), self.timeout, self.source_address)
File "/usr/lib64/python3.7/socket.py", line 727, in create_connection
raise err
File "/usr/lib64/python3.7/socket.py", line 716, in create_connection
sock.connect(sa)
socket.timeout: timed out

Display missing (make) depends on either /devel/ or mail when they occur:

Some work has been done in this following commit. This takes about ~ 11 minutes to run on our staging server.

The following command shows all deprecation warnings for our code but also for virtualenv's it would be useful to figure out how to show it just for our code and run that in our CI

PYTHONWARNINGS=always ./manage.py test

Some unfinished todo lists are listed in the second page instead of the first page since the list is ordered on created date instead of completed status.

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

For example when glibc is flagged out of date, flag lib32-glibc out of date as well.

Document how to get django-toolbar working and include in urls.py

diff --git a/urls.py b/urls.py
index ee899a4d..0a40b4b8 100644
--- a/urls.py
+++ b/urls.py
@@ -1,7 +1,9 @@
 from django.conf.urls import include, url
+from django.urls import include, path
 from django.contrib import admin
 from django.contrib.sitemaps import views as sitemap_views
 from django.contrib.auth import views as auth_views
+from django.conf import settings
 
 from django.views.decorators.cache import cache_page
 from django.views.generic import TemplateView
@@ -104,6 +106,11 @@
     url(r'^logout/$', auth_views.LogoutView.as_view(template_name='registration/logout.html'), name='logout'),
 ])
 
+if settings.DEBUG:
+    import debug_toolbar
+    urlpatterns = [
+        path('__debug__/', include(debug_toolbar.urls)),
+    ] + urlpatterns
 
 # displays all archweb urls
 def show_urls(urllist=urlpatterns, depth=0):  # pragma: no cover

Add a column which shows if you maintain this package or are the packager of the package in the signoff status.

Change the unit test system to pytest with it's easy fixture system to replace the current json fixtures.

• Consider using pytest-django
• Add fixtures for mirrorurls etc.
• Django testing documentation

Accessibility is important for users who are blind or visually impaired. Some links to read up about:

• https://a11yproject.com/about
• https://github.com/pa11y/pa11y
• https://www.youtube.com/watch?v=GQPGuxgesM0

Hopefully Django already includes a good default accessibility but our own changes might nont be. Having a CI for accessibility checking would also be a nice improvement.

Our session cookies currently do not set the new samesite header for cookies. This is now supported since Django 2.1 and should probably set to strict.

https://docs.djangoproject.com/en/2.1/ref/settings/#session-cookie-samesite

An initial CSP header has been added to Archweb but it is currently lacking a few options which makes it safer.

• Clickjacking protection, using frame-ancestors
• Deny by default, using default-src 'none'
• Restricts use of the tag by using base-uri 'none' or 'self'
• Restricts where contents may be submitted using form-action 'self'.

It would be really useful to have an RSS feed available of recently orphaned packages so people can subscribe and adopt packages they know/use. It would make orphans more visible and hopefully decrease the number of orphaned packages.

After the Python 3 upgrade the error message in the url details view shows up as b'foo' while it should be decoded into a string.

This query returns a list of orphan packages and finds possible maintainers for those by looking at all packages that directly depend on the orphan.Please make this a report page in the developer area of archweb.

SELECT distinct sub.depname as "(orphan) child", sub.pkgbase as "parent", coalesce(user.username, "orphan") as "parent maintainer", p.packager_str as "last child packager" FROM ( SELECT distinct p.pkgbase, dep.depname FROM package_depends as dep JOIN packages as p on p.id = dep.pkg_id WHERE dep.depname in ( SELECT distinct p.pkgbase FROM packages as p LEFT JOIN packages_packagerelation as rel on rel.pkgbase = p.pkgbase WHERE rel.id is null) ) as sub LEFT JOIN packages_packagerelation as rel on rel.pkgbase = sub.pkgbase LEFT JOIN auth_user as user on user.id = rel.user_id LEFT JOIN packages as p on sub.depname = p.pkgname ORDER BY sub.depname, sub.pkgbase;

The query is somewhat slow (~1sec execution time) and probably needs to be optimized.

A more optimised version:
SELECT DISTINCT pp.pkgbase, ppr.user_id, child.pkgname FROM package_depends ppd JOIN packages pp ON ppd.pkg_id = pp.id JOIN packages_packagerelation ppr ON pp.pkgbase = ppr.pkgbase JOIN (SELECT DISTINCT cp.pkgname FROM packages cp LEFT JOIN packages_packagerelation pr ON cp.pkgbase = pr.pkgbase WHERE pr.id IS NULL) child ON ppd.depname = child.pkgname ORDER BY child.pkgname;

This feature should only be shown for logged in users because of the possible performance penalty.

Currently the crsf cookie is not httponly, check if we can change it and apply these settings:

CSRF_COOKIE_SECURE = True
CSRF_USE_SESSIONS = True
CSRF_COOKIE_HTTPONLY = True

https://docs.djangoproject.com/en/2.1/ref/clickjacking/

jQuery 1.8.3 is long dead, it's unhealthy to run it in production. It's not possible to drop jQuery yet since the tablesorter plugin and typeahead still relies on it.

• Find a replacement for the typeahead on the main page ("Package Search")
• Update tablesorter to a version which jQuery 3.3.x supports.
• Check is visualizations still work (d3.js)

The PR https://github.com/archlinux/archweb/pull/49/commits has some commits which updates jQuery and the tablesorter.

In the Django 2.0 release notes the following is mentioned:

The django.db.backends.postgresql_psycopg2 module is deprecated in favor of django.db.backends.postgresql. It’s been an alias since Django 1.9. 
This only affects code that imports from the module directly. 
The DATABASES setting can still use 'django.db.backends.postgresql_psycopg2', though you can simplify that by using the 'django.db.backends.postgresql' name added in Django 1.9.

Look into adding a Content Security Policy for www.archlinux.org possible with the help of django-csp. Tricky parts are our old jQuery and CSS styles.

• Add CSP rule for JavaScript (should be all self served)
• Add CSP rule for CSS (self served as well)
• Add CSP rule for font source (should be none, we serve no fonts)
• Add CSP form-action and test signoffs, submitting out of date requests.

https://github.com/benyaminsalimi/Secure-Headers/blob/master/example/Django_Settings.py

Consider adding, not replacing webp images since they seem to be at least twice as small when converted to webp.

For example using

<picture>
	<source srcset="opera.webp" type="image/webp">
	<img src="opera.jpg" alt="The Oslo Opera House">
</picture>

Note: not really high prio, since Firefox just supports it. https://caniuse.com/#search=webp

The Feature-Policy disallows the browser from accessing certain features on a mobile device such as location, etc and is currently still a draft. It's also only supported via a Django extension.

https://pypi.org/project/django-feature-policy/
https://w3c.github.io/webappsec-feature-policy/

When a package is no longer in [testing] clean up the related signoffs for this package or periodically prune old signoffs.

Both the packages_signoffspecification and packages_signoff tables

virtualenv can be replaced with python -m venv these days.

For example the package contains an extra space after 'bash' which shouldn't be there.

Update Django to 2.1 on the python3 branch since Django 1.11 does not support 3.7.

A few things have changed in 2.1, notably the on_delete parameter needs to be added for foreinkeys

Note 2.1 is supported till end 2019. Then we need to switch to 2.2 which is LTS.

Currently we have no real official REST API or consistent JSON API. We need to figure out what data we want to have easily query'able for users.

Current "API":

• http://www.archlinux.org/packages/search/json/?q=$search term
• https://www.archlinux.org/packages/$repo/$arch/$pkgname/json/
• https://www.archlinux.org/packages/$repo/$arch/$pkgname/files/json/
• https://www.archlinux.org/todo/$todoname/json
• https://www.archlinux.org/packages/signoffs/json/
• https://www.archlinux.org/mirrors/status/json/
• https://www.archlinux.org/mirrors/status/tier/1/json/
• https://www.archlinux.org/mirrors/locations/json/
• https://www.archlinux.org/master-keys/json/
• https://www.archlinux.org/releng/releases/json/

What's missing

• A generic way to create a token and for example mark signoffs securely. arch-signoff now relies on doing http basic auth
• Todo list overview endpoint https://www.archlinux.org/todo/json
• Documentation
• Performance

python-qt.py is required by qspectrumanalyzer but not listed in the python-qt.py page.

When manually unflagging the old flagrequest is not removed while it should be.

Number of flag requests can be obtained by:

>>> from packages.models import FlagRequest
>>> FlagRequest.objects.count()

Steps:

• Check the number of flagged packages
• Flag a package
• Unflag the same package
• Number of flagged packages should be the same.

The todolist model has an old_id field for redirection https://www.archlinux.org/todo/204 to a new slug based url. Since this is the last known old id and links to old todolists aren't particularly interesting this can be removed.

urls.py old_id regex
views.py old_id view_redirect function
model.py remove old_id

Add 2FA to archweb, making it possible for a user to sign in with a second factor. Most simple implementation should support freeotp/google authenticator.

• Enforce 2FA for admin logins. Admins should always login using 2FA
• Add optional 2FA for normal TU/Dev's if they have 2FA configured then it will be enforced on logon.

Consider adding the Referer-Policy header to Archweb, currently only supported via a django extension. Hopefully lands in django core soon (tm).

https://code.djangoproject.com/ticket/29406
https://pypi.org/project/django-referrer-policy/

Add this link http://www.spi-inc.org/projects/archlinux/ that point to SPI's Arch Linux project page, which shows a Paypal donation link.

https://bugs.archlinux.org/task/55898

Last usage of this module was in 353f803

One branch which has worked on it is available here:
master...jelly:d3js_upgrade

The new typeahead does not work on Edge since it returns no x/y member for getClientRects. Use top and left instead.

Currently documented on the Arch Wiki, this might be incomplete or not up to date.

It would be nice to see which packages get promoted from AUR to community or core/extra, or even the new packages in the distro. I think it would be something interesting to have because promoted packages are probably new good software that would be interesting to hear about.This could simply be implemented as a "new" icon next to new packages in the "recently updated packages" box, similarly to what the AUR home page has.

Relevant forum discussion: http://bbs.archlinux.org/viewtopic.php?id=66071

When a Trusted User or Developer steps down, his key may be left in the archlinux-keyring package. There is no automation to revoke this key or update the keyring package, so there should be some automation in place to handle this :)

Some scenario's which can be automated:

• When a key is in the keyring but there is no archweb entry, report an issue.
• When a fingerprint is registered in archweb but not in the keyring, report an issue
• When a key is almost expired report an issue.The issues can be shown in archweb or mailed to a mailing list.