On 2022-02-15 at 12:56, Stella Ashburne wrote: > Hello The Wanderer >> Do you have any reason to believe that it might? As compared to any >> other random library that Debian provides. > > No, I don't have the technical knowledge to audit libthai. My point > is that why pull in non-English dependencies for an English-language > installation.... Because just because the main OS is configured to be in English, doesn't mean there won't be a time when the user needs to read a document written in that non-English language. What if someone sends you a document that has one or more words written in Thai? In order to be able to display that document correctly, the computer will need code that knows how to handle the Thai language. Whether that code is in libthai, or in a more general library, or embedded directly in whatever program it is that's reading the document, it's still there. Even if you can be sure you'll never have any reason to want to read a document that contains Thai, the same thing applies for every other language that doesn't just use the same character set, etc., as English. Most of them don't have sufficiently unusual and/or complex rules that they need a dedicated library to handle them, as Thai apparently does, but they do need something to handle whatever rules there may be. > Doing so may increase the chance of attacks by hackers. Not any more than pulling in any other dependency does. > The argument that an app, library or distro is open source does not > really mitigate the risks of attacks. I hadn't made that argument, I don't think, so this seems like a non sequitur. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature