Comment by sugarpimpdorsey
8 hours ago
> In response, Xiao pointed out that the package description can be read by any user who chooses to install the software, and it does mention the scan feature.
Wouldn't be the first (or last) time a Debian maintainer has pulled the "you should read the descriptions of all (hundreds) of your packages (most installed as dependencies)" card in response to a bug report.
If someone started reading all the package descriptions and READMEs we're meant to be thoroughly familiar with when Trixie was released a few days ago, they'd still be reading them.
“the plans and the demolition orders have been on display at the local planning office on Alpha Centauri for fifty of your Earth years. If you can't be bothered to take an interest in local affairs...”
https://www.youtube.com/watch?v=Z1Ba4BbH0oY
For the uninformed: this is a quote from The Hitchhiker's Guide to the Galaxy.
Thanks for giving the reference right here. I should have in addition to the link!
is someone above 20 needs that explanation one should be worried about them
14 replies →
You mean, for those who couldn't be bothered to click the link under a joke.
1 reply →
> If someone started reading all the package descriptions and READMEs we're meant to be thoroughly familiar with when Trixie was released a few days ago, they'd still be reading them.
That used to be viable back in the late 1990s and early 2000s when I first used Debian. It would take an afternoon of going through all the packages in dselect (does anyone here still remember dselect?) and marking the ones you wanted to install, and around the same amount of time going through every option on the kernel's menuconfig to precisely tailor the kernel to your specific hardware configuration (things were much less dynamic back then).
Nowadays, there are simply too many packages and kernel configuration options to go through (also, does anyone still use dselect?).
Such responses to me are proof of malicious intent.
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data.
Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.
5 replies →
> it's still a far cry from "proof of malicious intent"
Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs.
Intent or not, that developer is a risk to the project.
Hanlon's razor applies here, I think. It's just ignorance, not malice. I doubt the maintainer has connection, or was pressured by these two random dictionary websites to include this - nor do I think that they gain any advantage of it.
People need to be on the lookout though, the xz incident showed that FOSS is indeed vulnerable.
I think Hanlon's razor is outdated. Plausible deniability is the new meta. On top of that, the maintainer seems intent on not fixing the problem.
13 replies →
But it cannot be adequately attributed to ignorance, so no, Hanlon's razor does not apply. There is an obvious security breach.
5 replies →
Sufficiently advanced ignorance is indistinguishable from malice.
(but malware authors usually cover their tracks better)
> pressured
Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.
1 reply →
Willful negligence is, at some point, malicious.
Why can't reasonable people disagree here? Surely if the utility of some features might outweigh the security concerns for some people. Making features opt-in instead of opt-out significantly changes their discoverability and usage metrics. On the whole, a translation system that has a feature to translate selected text seems hardly surprising. Similarly, using an online service to improve translation quality and reduce local resource usage also seems reasonable.
Fundamentally, always-online, home-phoning features are the norm, and it should be up to OS distributions to manage security postures such as allowlists for network access. Think something along the lines of "StarDict wants to connect to dict.cn. Allow/Deny?".
Such a response is not considered a valid defence under GDPR. You cannot sign away your right to privacy any more than you can sign away your right to life.
> You cannot sign away your right to privacy any more than you can sign away your right to life
You can literally do both in the EU with informed consent.
5 replies →
i agree. if in 2025 ppl dont understand plaintext of user data to places on the net is bad, they should not write code nor be maintainers of oss software -_-.
how many times does everyone need to be totally compromised by some shitty software before people start to care?
innocent individuals each days are suffering hacks and malicious interactions. people are losing their livelihoods. companies are getting shutdown... what more need to happen?? :S
Malicious intent written in the package description? I would think that really unlikely.
I think it's just a cultural difference. Sogou, a super popular Chinese input program for Windows iOS and Android does the same with everything you type and nobody cares.
I'd say that having terms of service that document your shady behavior whilst at the same time not making this obvious in the UI in any way is a tried and true (corporate) malware pattern.
Just because Microsoft did it that doesn't make it a valid defense, in fact it shows the opposite (after all, they too did not have the best interests of their users at heart). The fact that the recipient of the data sits on the other side of the GFW and that clipboards can contain very interesting data you really should wonder about the intentions of the author, they do not get the benefit of the doubt. In fact, open source software that to all intents and purposes looks like it runs locally but pumps your (private) data out without your consent is a very large red flag to me: it gains access to data that otherwise likely would never be found in the wild. At a minimum this is a fairly serious GDPR violation.
I think so too. It's cultural difference, and ignorance at most. I doubt the maintainer has control over that two random dictionary websites, or was tasked by them to do this or anything like that. They are just a different person, and they didn't give a fuck.
2 replies →
There are dozens of chrome extensions that translate (read: submit to untrusted server) on hover / highlight / context menu / textarea edit / etc. It is implied, that user acknowledges this functionality and accepts the risk. This includes untrusted server (because that's how they proxy requests to Google/Bing/Yandex Translate without exposing API keys).
Security illiteracy? Yes. Malicious intent? Probably no.
Does being security illiterate equal malicious? Debatable.
No reasonable person expects privacy when using Google and/or Google provided products / software.
When you use Debian, you have a reasonable expectation of privacy.
People who handwave that away or say it's not as bad as something else either have an agenda or are ignorant about the history of Debian.
Not sure if I would call it malicious but I would call it gross negligence.
A moderately popular Chrome extension is frequently bought for tens of thousands of dollars for various purposes, frequently malware injection. They contact extension makers.
I think the bar for trust in terms of evil intent is on the floor.
>Security illiteracy? Yes.
Security illiteracy is admitting you were wrong and changing it when somebody points it out.
>Malicious intent? Probably no.
Are you graciously making excuses for malicious intent without considering all the facts? Probably yes.
>Does being security illiterate equal malicious? Debatable.
Refusal to admit there is a problem and fix it, or carrying the water for people who refuse to admit they made a mistake, is deliberate maliciousness, not security illiteracy. Not debatable.
4 replies →
I install stuff from Debian's repos for 2 reasons. Convience & trust. And while people do complain when maintainers modify packages behavior, I think people would rather have the send my clipboard contents to someone else to be opt-in. Instead of violating their trust!
If this level of modification is required for a package to fit in with the distro's philosophy, maybe better not to include it at all.
Also, someone looked at the package and the description, that is why this issue has been raised.
I do agree with your point, specially when it is not the first time a package maintained by that guy does non-expected behavior like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010165 (Inappropriate package, modifies other package's (conf) files, should be removed from archive).
That doesn’t even address the problem! The package description does mention the scan feature, but not the automatically-send-it-to-a-server-in-plain-text feature.
Sure, if you read the description and the list of plugins and correctly guess how this plugin is implemented, then you can deduce some of it.
"RTFM!" comments comes in flavors and bears nuances. In this case, as another commenter has pointed out, the answer smells fishy.
I have been told to "RTFM!" countless times in many places. Some of them were legitimately the correct answer in that context, in hindsight. Some were knee-jerk reactions like this.
Debian's discussion culture might be a little edgy sometimes, but this has nothing to do with Debian.
[flagged]
Except that the description does not tell you that it ships off your clipboard unencrypted to Chinese servers.
You're fired!
Trump launched an Apprentice-themed LLM? le sigh…
1 reply →