2419779 – stfl package links to scam site

Bug 2419779 - stfl package links to scam site

Summary: stfl package links to scam site

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	stfl
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Ben Boeckel
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-07 19:42 UTC by Georg Sauthoff
Modified:	2025-12-18 03:54 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-12-18 03:54:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Georg Sauthoff 2025-12-07 19:42:54 UTC

It looks like stfl upstream abandoned stfl at some point before 2022. Apparently the domain clifford(.)at expired in the end of 2021.

Around 2022 a domain squatter seems to have picked it up, restored some of the original content, but otherwise uploaded a lot of online casino slop there.

Since then the site reads "Claire's HomepageCoding, Gaming, Gambling & Fun", "In Handy Online Casinos überall spielen – Casinospiele für die Hosentasche" and similar garbage.

The fedora stfl spec file currently still links to that compromised site:

```
URL:            http://www.clifford(.)at/stfl/
Source0:        http://www.clifford(.)at/stfl/%{name}-%{version}.tar.gz
```

https://src.fedoraproject.org/rpms/stfl/blob/rawhide/f/stfl.spec#_7


I suggest to replace those scam urls with legitimate ones, for obvious reasons.
For example with URLs to a trustworthy fork, if you can find one.

Perhaps it's also time to retire that package, given that upstream is gone.



Reproducible: Always




Additional Information:
Last wayback snapshot that looks ok:
https://web.archive.org/web/20211113222004/http://www.clifford.at/stfl/

Certificate transparency logs seem to start only after the squatting:
https://crt.sh/?q=%.clifford.at

Comment 1 Ben Boeckel 2025-12-08 19:30:18 UTC

Fedora only needs it for `newsboat` (which should obsolete `newsbeuter`):

# dnf repoquery --whatrequires stfl
Updating and loading repositories:
Repositories loaded.
newsbeuter-0:2.9-28.fc43.x86_64
newsboat-0:2.39-3.fc43.x86_64
newsboat-0:2.41-1.fc43.x86_64
stfl-devel-0:0.22-53.fc43.i686
stfl-devel-0:0.22-53.fc43.x86_64
stfl-perl-0:0.22-53.fc43.x86_64
stfl-ruby-0:0.22-53.fc43.x86_64

`newsboat` developers maintain a fork for their own uses here:

https://github.com/newsboat/stfl

Given the unmaintained status of the original upstream, I'd be fine with shifting to the newsboat fork (and retiring newsbeuter in preference for newsboat). Does there need to be anything official for such a swtich?

Comment 2 Ben Boeckel 2025-12-08 19:34:20 UTC

Asked on Fedora Discuss: https://discussion.fedoraproject.org/t/switching-project-to-a-fork/176190

Comment 3 Ben Boeckel 2025-12-18 03:54:06 UTC

I've switched Rawhide to the fork. It is based on a 0.24 mention from the original history, so I'll leave it Rawhide-only.

Note You need to log in before you can comment on or make changes to this bug.