| ▲ | themafia 6 days ago |
| > Part of the justification for moving to Wayland over X11 is to make security vulnerabilities relating to one application spying on another more difficult to introduce. Yea, because, how else am I going to run shady poorly maintained dictionary software that ignores system settings from a hostile country? What kind of world are we living in with X11?! The software could just as well hook into your downloads folder and transparently "translate" any downloaded text or PDF file for you. In which case the method by which pixels arrive on your screen would not be relevant. How is this an X11 vs Wayland issue and not a distribution hygiene issue? Why is this package even a part of the distribution? In the desire to force one desktop system to stop existing, for whatever reason, I think they've missed the broader point. |
|
| ▲ | akimbostrawman 6 days ago | parent | next [-] |
| >The software could just as well hook into your downloads folder correct which is why wayland is only one piece in improving security, you still need proper sandboxing |
| |
| ▲ | lupusreal 6 days ago | parent [-] | | By the time you have something that allows you to safety run malware you have a usability nightmare. | | |
| ▲ | const_cast 5 days ago | parent | next [-] | | Flatpak'd wayland applications are super usable and they prevent the clipboard spying and the download folder shenanigans. You can edit permissions straight from KDE settings. Of course, you can't safety just run malware in flatpak. | |
| ▲ | fsflover 5 days ago | parent | prev [-] | | Qubes OS is the solution. It's indeed less convenient than ordinary GNU/Linux but still quite usable. My daily driver, can't recommend it enough. |
|
|
|
| ▲ | npteljes 6 days ago | parent | prev | next [-] |
| I agree with you, this is not an X11 issue, it's a "why are we letting software like this in the repository" issue. The kind of lax attitude towards security I'd expect from a random AUR package, not in the Debian repo. |
| |
| ▲ | aragilar 6 days ago | parent [-] | | It's been in Debian for more than 20 years (see changelog here: https://tracker.debian.org/media/packages/s/stardict/changel...). It's not clear to me if said "autosend off clipboard contents" has been in there the whole time though. | | |
| ▲ | npteljes 6 days ago | parent [-] | | Data leaking bug reported as early as 2009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731 , so it's not looking rosy. | | |
| ▲ | aragilar 6 days ago | parent [-] | | Which is interesting (as according to the LWN article) it seems like the general issue of what is sent is an ever-present one for StarDict, as apparently the earlier issue was around the defaults for all dictionaries, whereas the new issue is around a specific plugin. Personally, if I was using (or a maintainer of) a dictionary tool which autoreads the clipboard (or any dictionary tool), I'd be checking what it is doing and considering whether it is what I would want to use. | | |
| ▲ | npteljes 6 days ago | parent [-] | | For sure. I hope that due to the noise, they finally clean this up for good. |
|
|
|
|
|
| ▲ | guappa 6 days ago | parent | prev [-] |
| You basically need to call a vote or ask the tech committee to rule otherwise if the maintainer says it's fine. It's not really a bug if it's an advertised feature you don't like, so security team cannot do much in theory. |
| |
