Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
amiga386 5 days ago

This article smacks of paternalism.

Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy

Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.

Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.

The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.

This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.

Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):

Changelog: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...

    stardict (3.0.7+git20220909+dfsg-8) unstable; urgency=medium
      * remove stardict_youdaodict.so plugin from stardict-plugin package, Closes: #1110370
      * split network-dictionary plugin to a new binary package stardict-plugin-network-dictionary
      * add d/NEWS.Debian
     -- xiao sheng wen <atzlinux@sina.com>  Mon, 11 Aug 2025 10:46:11 +0800
    stardict (3.0.7+git20220909+dfsg-7) unstable; urgency=medium
      * d/stardict-plugin.install:not install stardict_dictdotcn.so, Closes: #806960
      * d/rules:Added --disable-dictdotcn option, dictdotcn is not provid server now
     -- xiao sheng wen <atzlinux@sina.com>  Wed, 06 Aug 2025 14:09:39 +0800
Control: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...

    Package: stardict-plugin-network-dictionary
    Description: [...]
     *Warning*
      * The query word will send through the network use plain-text in this plugin!
      * Please do *NOT* selects any confidential data to query dictionary
      * When enable "Scan" function on stardict, the selected text will sended on the net at once.

    Package: stardict-plugin
    Suggests: [...]
     stardict-plugin-network-dictionary (= ${binary:Version}),
anonymars 5 days ago | parent [-]

> Part of the fun of free software is that it might do terrible things

Yeah you lost me here

amiga386 5 days ago | parent [-]

Freedom is the freedom to say rm -rf /* and accept the consequences.

If you want to give someone else control over what you can and can't do with your machine, iOS is over there -->

anonymars 5 days ago | parent [-]

False dichotomy.

Why should I expect that merely installing a dictionary will silently opt me in to sending everything in my clipboard to some third party?

You don't need some strawman tyrant to want it to require a user opt-in if that's what you really want to do

amiga386 5 days ago | parent [-]

You can expect that any software might do anything, either because of a bug or because it's intentional, and you won't know until you see it happen. It's why the major FOSS licenses say things like THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

You can want software to be well behaved, and in most cases it is. But if you want some level of assurance that the software is behaved as you'd like it, some requirement in law that the software is not allowed to exist unless it meets your requirements, or the platform it runs on is neutered so it literally can't do the thing you don't want it to do -- that's where the tyrant comes in.

anonymars 5 days ago | parent [-]

Again, false dichotomy. If Debian's maintainers don't put things in the package manager with dodgy behavior, that's not a walled garden like iOS

Not having to check your cereal for razor blades is also a freedom

amiga386 5 days ago | parent [-]

You're asking Debian to check out all aspects of a program and hold them liable if it does something you don't like, or their volunteers does something you don't like.

That's not what Debian is doing. Debian is asking for volunteers to package the world's free software, also written by volunteers. They have their own checklists, your "dodgy behaviour" concerns aren't on it. Confirming the software meets your expectations depends on you evaluating it. If it doesn't, you can then volunteer your time to write them a bug report, which they might or might not accept and fix.

anonymars 5 days ago | parent [-]

They did. The article exists. The package manager behavior was changed accordingly. It doesn't automatically include that plug-in. My understanding was you scoffed at the "paternalism" and said part of the fun is that there might be terrible behaviors. Others disagree.

amiga386 5 days ago | parent [-]

Indeed there were terrible behaviours, and they were fixed. My scoffing is at people who believe these behaviours should never have happened, or it shouldn't be possible.

Unless there is a omnipotent tyrant, there will be the possibility that you encounter terrible behaviours, and the possibility that those who could fix them, don't. You can try advocating to the maintainer that they should fix it, you can even try leading a campaign against the maintainer. If they still disagree, you can fix it yourself, with the source they gave you, and you can publicise your fixed version, which people might adopt over the other version if enough people agree with you. That is the fun!