Page 1 of 2

Is this project dead?

PostPosted: 11 Apr 2017, 12:17
by SlF
Hey,

I know that some people won't like this sort of post, but is runeaudio dead? No progress for years.
Maybe there is some new fork? Just wondering if there will be an update soon and if I can help.

Greetz

Re: Is this project dead?

PostPosted: 11 Apr 2017, 13:19
by °pdi°

Re: Is this project dead?

PostPosted: 12 Apr 2017, 09:07
by samberry

Re: Is this project dead?

PostPosted: 18 Apr 2017, 22:17
by SlF


Why didn't I see this?

It must be a bit hidden.

Great!!!

Re: Is this project dead?

PostPosted: 17 Jan 2018, 11:34
by WillCourney
There are so many forks here. Why did you ask it? There a lot of interesting and useful info on others pages, just seek it better! Have a good day!

Re: Is this project dead?

PostPosted: 17 Jan 2018, 14:28
by janui
Additionally:

Re: Is this project dead?

PostPosted: 21 Jan 2018, 12:34
by ACX
Hello, please take a look at this post.

Re: Is this project dead?

PostPosted: 22 Jan 2018, 16:41
by waves
The versions of RuneAudio on the official downloads page have known unpatched vulnerabilities such as the KRACK wpa2 vulnerability. By default those downloads also come with SSH enabled and a default username/password printed on the public site. There are newer inofficial/beta versions and instructions for updates scattered throughout the forum, but the documentation page doesn't say anything about that.

Shouldn't a notice be put on the downloads/documentation pages that the versions there are end of life and not receiving security updates?

Edit: There is more. In recent weeks there has been news about exploits against localhost/LAN services through DNS rebinding methods by malicious sites through a LAN users browser.See for example this Ars Technica piece
https://arstechnica.com/information-tec ... -computer/

AFAICT RuneAudio could also be vulnerable to such attacks. What could happen? Well for a start an attacker (or their automatic scripts) could access the /dev page and change stuff. Since RuneAudio has no feature for password restricting access to only some LAN devices. But the gap in updates to RuneAudio also increases the risk that there are unpatched vulnerabilities in Arch, PHP, javascript etc that a DNS rebind attacker could exploit through as a second step.

Re: Is this project dead?

PostPosted: 12 Feb 2018, 15:56
by gearhead
Ditto. I mean no disrespect either, but in the era of web cameras being hijacked for nefarious purposes, security should be a concern as well as audio capabilities and a well designed UI and system.

My hope is that the current development, which we have been anxiously awaiting for 4 years, unseen by any but a chosen few will address security as well as update concerns along with UI and system improvements.

As for Arch updates, it says somewhere in the Arch docs that piecemeal updating of the system is not supported or encouraged. I believe that the packages and their prerequisites as well as a pacman.conf line or 2 may help alleviate this problem. I'm willing to help if asked.

Gearhead

Re: Is this project dead?

PostPosted: 22 Feb 2018, 11:13
by waves
Another DNS rebinding vulnerability against an application with a localhost webserver. This time the utorrent bittorrent client. https://arstechnica.com/information-tec ... downloads/ As I described above it looks like RuneAudio is vulnerable to the same basic method of access.