Bug 2419779

Summary: stfl package links to scam site
Product: [Fedora] Fedora Reporter: Georg Sauthoff <fedora>
Component: stflAssignee: Ben Boeckel <fedora>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-12-18 03:54:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Georg Sauthoff 2025-12-07 19:42:54 UTC 
It looks like stfl upstream abandoned stfl at some point before 2022. Apparently the domain clifford(.)at expired in the end of 2021.

Around 2022 a domain squatter seems to have picked it up, restored some of the original content, but otherwise uploaded a lot of online casino slop there.

Since then the site reads "Claire's HomepageCoding, Gaming, Gambling & Fun", "In Handy Online Casinos überall spielen – Casinospiele für die Hosentasche" and similar garbage.

The fedora stfl spec file currently still links to that compromised site:

```
URL:            http://www.clifford(.)at/stfl/
Source0:        http://www.clifford(.)at/stfl/%{name}-%{version}.tar.gz
```

https://src.fedoraproject.org/rpms/stfl/blob/rawhide/f/stfl.spec#_7


I suggest to replace those scam urls with legitimate ones, for obvious reasons.
For example with URLs to a trustworthy fork, if you can find one.

Perhaps it's also time to retire that package, given that upstream is gone.



Reproducible: Always




Additional Information:
Last wayback snapshot that looks ok:
https://web.archive.org/web/20211113222004/http://www.clifford.at/stfl/

Certificate transparency logs seem to start only after the squatting:
https://crt.sh/?q=%.clifford.at
Comment 1 Ben Boeckel 2025-12-08 19:30:18 UTC 
Fedora only needs it for `newsboat` (which should obsolete `newsbeuter`):

# dnf repoquery --whatrequires stfl
Updating and loading repositories:
Repositories loaded.
newsbeuter-0:2.9-28.fc43.x86_64
newsboat-0:2.39-3.fc43.x86_64
newsboat-0:2.41-1.fc43.x86_64
stfl-devel-0:0.22-53.fc43.i686
stfl-devel-0:0.22-53.fc43.x86_64
stfl-perl-0:0.22-53.fc43.x86_64
stfl-ruby-0:0.22-53.fc43.x86_64

`newsboat` developers maintain a fork for their own uses here:

https://github.com/newsboat/stfl

Given the unmaintained status of the original upstream, I'd be fine with shifting to the newsboat fork (and retiring newsbeuter in preference for newsboat). Does there need to be anything official for such a swtich?
Comment 2 Ben Boeckel 2025-12-08 19:34:20 UTC 
Asked on Fedora Discuss: https://discussion.fedoraproject.org/t/switching-project-to-a-fork/176190
Comment 3 Ben Boeckel 2025-12-18 03:54:06 UTC 
I've switched Rawhide to the fork. It is based on a 0.24 mention from the original history, so I'll leave it Rawhide-only.