Comment by themafia
8 hours ago
> Part of the justification for moving to Wayland over X11 is to make security vulnerabilities relating to one application spying on another more difficult to introduce.
Yea, because, how else am I going to run shady poorly maintained dictionary software that ignores system settings from a hostile country? What kind of world are we living in with X11?!
The software could just as well hook into your downloads folder and transparently "translate" any downloaded text or PDF file for you. In which case the method by which pixels arrive on your screen would not be relevant.
How is this an X11 vs Wayland issue and not a distribution hygiene issue? Why is this package even a part of the distribution? In the desire to force one desktop system to stop existing, for whatever reason, I think they've missed the broader point.
>The software could just as well hook into your downloads folder
correct which is why wayland is only one piece in improving security, you still need proper sandboxing
By the time you have something that allows you to safety run malware you have a usability nightmare.
I agree with you, this is not an X11 issue, it's a "why are we letting software like this in the repository" issue. The kind of lax attitude towards security I'd expect from a random AUR package, not in the Debian repo.
It's been in Debian for more than 20 years (see changelog here: https://tracker.debian.org/media/packages/s/stardict/changel...). It's not clear to me if said "autosend off clipboard contents" has been in there the whole time though.
Data leaking bug reported as early as 2009: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731 , so it's not looking rosy.
2 replies →
You basically need to call a vote or ask the tech committee to rule otherwise if the maintainer says it's fine.
It's not really a bug if it's an advertised feature you don't like, so security team cannot do much in theory.
That's a bad policy then.
Write a new one and post it on debian-vote and see if it gets approved :)