On 08/08/2025 20:29, Vincent Lefevre wrote:
On 2025-08-07 18:52:47 +0700, Max Nikulin wrote:On 06/08/2025 10:18, Vincent Lefevre wrote:Note that passwords can easily be leaked.I see, earlier I even mentioned protocol that allows clipboard manager to ignore text copied by password managers.X11 selections are different from clipboard.
I am unsure what you mean. PRIMARY, SECONDARY and CLIPBOARD selections are rather similar. Difference in behavior originates from conventions as they are implemented in applications. I do not mind that you may acquire much more data by scanning PRIMARY selection than from CLIPBOARD. However some data may be available from CLIPBOARD only.
It is not relevant however to advertising extra media (MIME) type to mark passwords. I admit, it is up to application (password manager) and user can not ask arbitrary application to treat selection as a password. That is why support of these hints is a minor improvement.
What is different in X11, is CUT_BUFFER's, but they are not used nowadays just like SECONDARY (I can name a few applications, but it is half-broken).
However I am in doubts if setting excessively high severity a few days before release is the best way to handle the issue. Are you trying to remove stardict packages from trixie completely? I do not think, bookworm users, who have the application installed, will like it.AFAIK, there are tags to ignore the RC severity for the next release.
Do you mean trixie-ignore and forky-ignore? Have you tried to negotiate with the maintainer and with release manager to add them?
The vulnerability here is important enough to justify a high severity. In particular, it should be signaled by apt-listbugs.
I find it valid concern. Unfortunately, it seems, in default configuration bugs are either not listed or severity serious or above causes removal from testing (unless "*-ignore" is added). Have I missed anything?
Moreover, initially I had not thought that a query was even done: as a calendar was displayed (which is really strange for a dictionary application) and did not see anything that looked like an answer to a query, I was just thinking of some UI bug.
I agree, it is confusing. From my point of view, a part of the problem is that the dictionary has been developed to be convenient in specific scenario. Privacy issues were overlooked. Recently the maintainer received a portion of complains with almost no suggestions how to meet expectations related to privacy while keeping convenience.