| ▲ | avhception 6 days ago |
| While I think the response was not well thought out, it's still a far cry from "proof of malicious intent". |
|
| ▲ | jacquesm 6 days ago | parent | next [-] |
| We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data. Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost. |
| |
| ▲ | rapiz 8 hours ago | parent | next [-] | | And yes, that IS the expected behavior. Select to translate is almost a standard feature for translation software. Not sure if the situation gets better now, but back then the software was written, using clipboard as temporary storage is a very robust and maybe the only way to implement such feature. Trivia: It's likely sending Ctrl+C and reading clipboard to get the selected text. No easy cross-platform API for this lol. Also note that the software is very old and poorly maintained. | |
| ▲ | okasaki 6 days ago | parent | prev | next [-] | | [flagged] | |
| ▲ | jona-f 6 days ago | parent | prev [-] | | [flagged] | | |
| ▲ | jacquesm 5 days ago | parent [-] | | He could have claimed lack of awareness until it was brought up. After that that excuse no longer holds. | | |
| ▲ | lyu07282 5 days ago | parent [-] | | No they could still be just incompetent/negligent rather than malicious. You also forget that they aren't running the translation services, they don't get any data, that's a separate third party you'd have to believe are in on it too. The more important question is if debian is gonna gkick them for it (they should). | | |
| ▲ | jacquesm 5 days ago | parent [-] | | That's a separate third party, with which they can be in cahoots, in fact it may not be that they are 'in on it too', it could well be that they are in fact the originators and sponsors of the way this works. Anyway, regardless of who is the culprit it is clear that the response spells 'wont fix' and that translates (in my book at least, pun intended) into 'works as intended'. |
|
|
|
|
|
| ▲ | ASalazarMX 5 days ago | parent | prev | next [-] |
| It's clearly a defensive excuse, as it is extremely unrealistic to expect final users to read all the docs of all the dependencies of a Linux distro. It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's. It could be that they were caught with their pants down and posted an ill-thought response, but I'd lean strongly towards malice with such a poor defense, it borders on confession. Clipboards are one of the most critical privacy/security features, you don't ever want to leak them unintentionally. Did we already forget about the XZ Utils backdoor? There have to be multiple efforts to infiltrate backdoors in Linux going right now. https://en.wikipedia.org/wiki/XZ_Utils_backdoor |
| |
| ▲ | Telaneo 4 days ago | parent [-] | | > It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's. I agree a lot with this. You're supposed to trust your distributions packages. If you can't trust your distro, who can you trust? If you don't, find one you do trust, as that's a viable alternative. If none are trustworthy to you, then the only real option is to become your own package maintainer and have fun with Linux From Scratch. |
|
|
| ▲ | rangerelf 5 days ago | parent | prev | next [-] |
| I disagree; it's basically lawyerspeak for "sucks to be you". If one is expected to go through all the documentation of both the main package and all dependency packages, and also through whatever specific configuration details to your case, just to be able to catch a specific IMPORTANT detail that's not clearly spelled out in the main package, that's malicious. "A dependency we use captures your clipboard data and sends it to remote servers" That sentence right there would kill their userbase, so they omit warning you about it. And on top of the "...user should have read the description..." non-apology, "just split the packages, bro". That's malicious. |
| |
| ▲ | sejje 5 days ago | parent [-] | | > That sentence right there would kill their userbase No, it wouldn't. People don't take privacy very seriously. | | |
| ▲ | devmor 5 days ago | parent | next [-] | | If this were about a Windows or MacOS program, sure. The overlap between Linux desktop users and digital privacy concerns is pretty large. | |
| ▲ | bornfreddy 5 days ago | parent | prev [-] | | This is Debian, of course they do. But it wouldn't kill their userbase because nobody reads the package descriptions anyway. |
|
|
|
| ▲ | JumpCrisscross 5 days ago | parent | prev | next [-] |
| > it's still a far cry from "proof of malicious intent" Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion. |
| |
| ▲ | dotancohen 4 days ago | parent [-] | | > Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
We expel people for different values now? I'm not Christian, should I be expelled?Is there a defined set of values that one must uphold, or at least believe in theoretically, to be a welcome member? | | |
| ▲ | JumpCrisscross a day ago | parent [-] | | > We expel people for different values now? Yes, that's what core values mean. If they're not embraced by everyone, they cease to be core. If X11 tolerates developers who think piping data unseen to remote servers is okay, the project as a whole ceases to be trustworthy. > I'm not Christian, should I be expelled? From a listserv? No. From, like, a religious group? Maybe. |
|
|
|
| ▲ | account42 6 days ago | parent | prev [-] |
| We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs. Intent or not, that developer is a risk to the project. |
| |
| ▲ | vpribish 5 days ago | parent [-] | | Finally, a rational argument from the torch and pitchfork crowd. Xiao is not taking security sensitivities to heart : HTTP?? To China‽ and a dismissive BS answer. |
|
