Comment by avhception
1 day ago
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
1 day ago
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data.
Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.
[flagged]
[flagged]
He could have claimed lack of awareness until it was brought up. After that that excuse no longer holds.
2 replies →
> it's still a far cry from "proof of malicious intent"
Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
I disagree; it's basically lawyerspeak for "sucks to be you".
If one is expected to go through all the documentation of both the main package and all dependency packages, and also through whatever specific configuration details to your case, just to be able to catch a specific IMPORTANT detail that's not clearly spelled out in the main package, that's malicious.
"A dependency we use captures your clipboard data and sends it to remote servers"
That sentence right there would kill their userbase, so they omit warning you about it. And on top of the "...user should have read the description..." non-apology, "just split the packages, bro".
That's malicious.
> That sentence right there would kill their userbase
No, it wouldn't. People don't take privacy very seriously.
This is Debian, of course they do.
But it wouldn't kill their userbase because nobody reads the package descriptions anyway.
If this were about a Windows or MacOS program, sure.
The overlap between Linux desktop users and digital privacy concerns is pretty large.
It's clearly a defensive excuse, as it is extremely unrealistic to expect final users to read all the docs of all the dependencies of a Linux distro. It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.
It could be that they were caught with their pants down and posted an ill-thought response, but I'd lean strongly towards malice with such a poor defense, it borders on confession. Clipboards are one of the most critical privacy/security features, you don't ever want to leak them unintentionally.
Did we already forget about the XZ Utils backdoor? There have to be multiple efforts to infiltrate backdoors in Linux going right now.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs.
Intent or not, that developer is a risk to the project.
Finally, a rational argument from the torch and pitchfork crowd. Xiao is not taking security sensitivities to heart : HTTP?? To China‽ and a dismissive BS answer.