Re: Security: Be careful with StarDict!

[Max Nikulin <manikulin@gmail.com>]

At first to Richard.

Vincent raised a privacy issue specific to StarDict. There are might be 
similar bugs (reported or not) in other packages. You may try to find 
them in the Debian bug tracker or using general purpose search engines.

StarDict is not installed by default. You may check whether it is 
installed on your machines by commands like

    dpkg -l 'stardict*'
    apt list 'stardict*'

I decided to post to debian-user rather than to the bug tracker to 
discuss it from more general point of view: whether this kind of 
features should be considered as controversial and whether Debian 
maintainers should disable it in default configuration overriding 
upstream settings. Disabling features that are convenient in some 
scenarios may cause conflicts between upstream developers and Debian 
maintainers.

On 05/08/2025 18:09, Greg Wooledge wrote:
> On Tue, Aug 05, 2025 at 09:43:03 +0700, Max Nikulin wrote:
> > I agree with Vincent that without *explicit* user consent applications
> > should not send to remote servers what they gathered by listening for
> > changes of primary selection or clipboard. Even if upstream packages (source
> > code, flatpak, snap) have similar features enabled by default, I would
> > expect from Debian maintainers to change defaults to be more careful with
> > user data.
>
> There is an open bug for this,
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960>.
>
> According to <https://tracker.debian.org/pkg/stardict>, the package
> was removed from testing and unstable in April 2020, but it was
> brought back in December 2021.  Bug #806960 was upgraded to
> Severity: Important in June 2022, a year before Bookworm's release.
>
> I have no idea why stardict was allowed into Bookworm in this state.
> Shouldn't an open "Important" bug have blocked it?

Thanks for the link.

https://www.debian.org/Bugs/Developer#severities
- *serious* is a severe violation of Debian policy (roughly,
  it violates a "must" or "required" directive), or, in the package
  maintainer's or release manager's opinion, makes the package
  unsuitable for release.
- *important* a bug which has a major effect on the usability
  of a package, without rendering it completely unusable to everyone.

Severity set to 'serious' from 'important' Request was from Maytham 
Alsudany ...  (Wed, 06 Aug 2025 00:45:02 GMT)

However if this bug exists in bookworm, in my opinion, it should not 
require *urgent* reaction before trixie release. It may be fixed in 
later update.

I did not like position of the maintainer in respect to
<https://bugs.debian.org/1110370>
"stardict-plugin: YouDao plugin sends the user's selection from other 
apps to Chinese servers"

Severity set to 'wishlist' from 'critical' Request was from xiao sheng 
wen ... (Mon, 04 Aug 2025 02:29:02 GMT)

I do not mind that the feature is mentioned in the package description 
and the plugins package is in "Recommends", not in "Depends", so it can 
be removed. The question is default effect of "apt install stardict".

I believe, proper tags are neither security+critical not wishlist, but 
something in between.

At least some applications show apparent indicator that camera or 
microphone is on or that screen capture is active. Applications relaying 
selected text to remote server may show similar popup when this mode is 
active.