[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security: Be careful with StarDict!



Hi Max, Vincent,

On Wed, 2025-08-06 at 09:33 +0700, Max Nikulin wrote:
> Vincent raised a privacy issue specific to StarDict. There are might be 
> similar bugs (reported or not) in other packages. You may try to find 
> them in the Debian bug tracker or using general purpose search engines.

They exist but they are few and far between; I've seen other bugs on
this issue, mainly telemetry that is enabled by default and opt-out
rather than opt-in. See [3].

> StarDict is not installed by default. You may check whether it is 
> installed on your machines by commands like
> 
>      dpkg -l 'stardict*'
>      apt list 'stardict*'
> 
> I decided to post to debian-user rather than to the bug tracker to 
> discuss it from more general point of view: whether this kind of 
> features should be considered as controversial and whether Debian 
> maintainers should disable it in default configuration overriding 
> upstream settings. Disabling features that are convenient in some 
> scenarios may cause conflicts between upstream developers and Debian 
> maintainers.

It probably should be disabled IMO in the interest of users. It's a
very, very cool feature, especially because it works across apps. But
since it already supports setting a hotkey/shortcut to scan the current
selection, a hotkey should be set or the feature should be disabled
entirely by default.

> On 05/08/2025 18:09, Greg Wooledge wrote:
[...]
> > I have no idea why stardict was allowed into Bookworm in this state.
> > Shouldn't an open "Important" bug have blocked it?
> 
> Thanks for the link.
> 
> https://www.debian.org/Bugs/Developer#severities
> - *serious* is a severe violation of Debian policy (roughly,
>    it violates a "must" or "required" directive), or, in the package
>    maintainer's or release manager's opinion, makes the package
>    unsuitable for release.
> - *important* a bug which has a major effect on the usability
>    of a package, without rendering it completely unusable to everyone.

Yep, serious or higher is consider is considered RC and the package is
blocked from migrating from unstable to testing.

Note that with the package already in testing and this far into the
release, it won't be removed from Trixie unless the release managers
intervene manually (which I highly doubt).

> Severity set to 'serious' from 'important' Request was from Maytham 
> Alsudany ...  (Wed, 06 Aug 2025 00:45:02 GMT)

Yep, that's me :)

> However if this bug exists in bookworm, in my opinion, it should not 
> require *urgent* reaction before trixie release. It may be fixed in 
> later update.

+1

A patch to disable the bit of code that enables this by default would
greatly expedite the fix. From my quick look, it appears there's no
config file that is installed by default, so it's somewhere in the C.

--
Maytham

P.S. I've already seen a post in the Debian subreddit[1] and an
article[2] about this thread; it should not be getting this much
notoriety/coverage.. It also amuses me how the comments of a few people
who happen to be DDs (e.g. myself, stardict package maintainer) are
being represented as the position of Debian as a whole.

[1] https://www.reddit.com/r/debian/comments/2mj0hkn/stardict_plugins_in_debian_13_raise_privacy/
[2] https://linuxiac.com/stardict-plugins-in-debian-13-raise-privacy-concerns/
[3] https://wiki.debian.org/PrivacyIssues
    e.g. https://bugs.debian.org/972761

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: