Comment by avhception
6 months ago
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
6 months ago
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data.
Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.
And yes, that IS the expected behavior.
Select to translate is almost a standard feature for translation software. Not sure if the situation gets better now, but back then the software was written, using clipboard as temporary storage is a very robust and maybe the only way to implement such feature.
Trivia: It's likely sending Ctrl+C and reading clipboard to get the selected text. No easy cross-platform API for this lol.
Also note that the software is very old and poorly maintained.
[flagged]
[flagged]
He could have claimed lack of awareness until it was brought up. After that that excuse no longer holds.
2 replies →
It's clearly a defensive excuse, as it is extremely unrealistic to expect final users to read all the docs of all the dependencies of a Linux distro. It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.
It could be that they were caught with their pants down and posted an ill-thought response, but I'd lean strongly towards malice with such a poor defense, it borders on confession. Clipboards are one of the most critical privacy/security features, you don't ever want to leak them unintentionally.
Did we already forget about the XZ Utils backdoor? There have to be multiple efforts to infiltrate backdoors in Linux going right now.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
> It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.
I agree a lot with this. You're supposed to trust your distributions packages. If you can't trust your distro, who can you trust? If you don't, find one you do trust, as that's a viable alternative. If none are trustworthy to you, then the only real option is to become your own package maintainer and have fun with Linux From Scratch.
I disagree; it's basically lawyerspeak for "sucks to be you".
If one is expected to go through all the documentation of both the main package and all dependency packages, and also through whatever specific configuration details to your case, just to be able to catch a specific IMPORTANT detail that's not clearly spelled out in the main package, that's malicious.
"A dependency we use captures your clipboard data and sends it to remote servers"
That sentence right there would kill their userbase, so they omit warning you about it. And on top of the "...user should have read the description..." non-apology, "just split the packages, bro".
That's malicious.
> That sentence right there would kill their userbase
No, it wouldn't. People don't take privacy very seriously.
If this were about a Windows or MacOS program, sure.
The overlap between Linux desktop users and digital privacy concerns is pretty large.
This is Debian, of course they do.
But it wouldn't kill their userbase because nobody reads the package descriptions anyway.
> it's still a far cry from "proof of malicious intent"
Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
We expel people for different values now? I'm not Christian, should I be expelled?
Is there a defined set of values that one must uphold, or at least believe in theoretically, to be a welcome member?
> We expel people for different values now?
Yes, that's what core values mean. If they're not embraced by everyone, they cease to be core.
If X11 tolerates developers who think piping data unseen to remote servers is okay, the project as a whole ceases to be trustworthy.
> I'm not Christian, should I be expelled?
From a listserv? No. From, like, a religious group? Maybe.
We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs.
Intent or not, that developer is a risk to the project.
Finally, a rational argument from the torch and pitchfork crowd. Xiao is not taking security sensitivities to heart : HTTP?? To China‽ and a dismissive BS answer.