We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data.

Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.

It's clearly a defensive excuse, as it is extremely unrealistic to expect final users to read all the docs of all the dependencies of a Linux distro. It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.

It could be that they were caught with their pants down and posted an ill-thought response, but I'd lean strongly towards malice with such a poor defense, it borders on confession. Clipboards are one of the most critical privacy/security features, you don't ever want to leak them unintentionally.

Did we already forget about the XZ Utils backdoor? There have to be multiple efforts to infiltrate backdoors in Linux going right now.

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

I disagree; it's basically lawyerspeak for "sucks to be you".

If one is expected to go through all the documentation of both the main package and all dependency packages, and also through whatever specific configuration details to your case, just to be able to catch a specific IMPORTANT detail that's not clearly spelled out in the main package, that's malicious.

"A dependency we use captures your clipboard data and sends it to remote servers"

That sentence right there would kill their userbase, so they omit warning you about it. And on top of the "...user should have read the description..." non-apology, "just split the packages, bro".

That's malicious.

> it's still a far cry from "proof of malicious intent"

Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.

We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs.

Intent or not, that developer is a risk to the project.

I think Hanlon's razor is outdated. Plausible deniability is the new meta. On top of that, the maintainer seems intent on not fixing the problem.

But it cannot be adequately attributed to ignorance, so no, Hanlon's razor does not apply. There is an obvious security breach.

Sufficiently advanced ignorance is indistinguishable from malice.

(but malware authors usually cover their tracks better)

guy works for a Chinese media company and he's essentially trying to slip a backdoor into Debian systems.

malice & typical CCP behavior IMHO. The responses from the maintainer are unacceptable and he should have his privileges stripped

> pressured

Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.

Willful negligence is, at some point, malicious.

No. The simplest answer is that they’re deliberately and maliciously exfiltrating data. The other explanation requires more hoops.

> Think something along the lines of "StarDict wants to connect to dict.cn. Allow/Deny?".

That is what opensnitch provides, as do some other detection tools.

https://wiki.debian.org/PrivacyIssues#Detection_tools

> Why can't reasonable people disagree here?

They can, but framing this as a mere disagreement is disingenuous: One approach might slightly inconvenience someone, while the other (as was taken here) inflicts irreparable damage.

> Fundamentally, always-online, home-phoning features are the norm,

No. Although common on certain platforms, they are not a fundamental norm in software, nor should they be.

In particular, we're talking about Debian here.

A moderately popular Chrome extension is frequently bought for tens of thousands of dollars for various purposes, frequently malware injection. They contact extension makers.

I think the bar for trust in terms of evil intent is on the floor.

No reasonable person expects privacy when using Google and/or Google provided products / software.

When you use Debian, you have a reasonable expectation of privacy.

People who handwave that away or say it's not as bad as something else either have an agenda or are ignorant about the history of Debian.

Not sure if I would call it malicious but I would call it gross negligence.

[flagged]

> You cannot sign away your right to privacy any more than you can sign away your right to life

You can literally do both in the EU with informed consent.

> i agree. if in 2025 ppl dont understand plaintext of user data to places on the net is bad, they should not write code nor be maintainers of oss software -_-.

LLMs are only going to make this worse. We're going to see a plethora of vibe coded slop everywhere.

I'd say that having terms of service that document your shady behavior whilst at the same time not making this obvious in the UI in any way is a tried and true (corporate) malware pattern.

Just because Microsoft did it that doesn't make it a valid defense, in fact it shows the opposite (after all, they too did not have the best interests of their users at heart). The fact that the recipient of the data sits on the other side of the GFW and that clipboards can contain very interesting data you really should wonder about the intentions of the author, they do not get the benefit of the doubt. In fact, open source software that to all intents and purposes looks like it runs locally but pumps your (private) data out without your consent is a very large red flag to me: it gains access to data that otherwise likely would never be found in the wild. At a minimum this is a fairly serious GDPR violation.

I think so too. It's cultural difference, and ignorance at most. I doubt the maintainer has control over that two random dictionary websites, or was tasked by them to do this or anything like that. They are just a different person, and they didn't give a fuck.