← Back to context

Comment by amiga386

6 months ago

This article smacks of paternalism.

Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy

Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.

Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.

The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.

This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.

Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):

Changelog: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...

    stardict (3.0.7+git20220909+dfsg-8) unstable; urgency=medium
      * remove stardict_youdaodict.so plugin from stardict-plugin package, Closes: #1110370
      * split network-dictionary plugin to a new binary package stardict-plugin-network-dictionary
      * add d/NEWS.Debian
     -- xiao sheng wen <atzlinux@sina.com>  Mon, 11 Aug 2025 10:46:11 +0800
    stardict (3.0.7+git20220909+dfsg-7) unstable; urgency=medium
      * d/stardict-plugin.install:not install stardict_dictdotcn.so, Closes: #806960
      * d/rules:Added --disable-dictdotcn option, dictdotcn is not provid server now
     -- xiao sheng wen <atzlinux@sina.com>  Wed, 06 Aug 2025 14:09:39 +0800

Control: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...

    Package: stardict-plugin-network-dictionary
    Description: [...]
     *Warning*
      * The query word will send through the network use plain-text in this plugin!
      * Please do *NOT* selects any confidential data to query dictionary
      * When enable "Scan" function on stardict, the selected text will sended on the net at once.

    Package: stardict-plugin
    Suggests: [...]
     stardict-plugin-network-dictionary (= ${binary:Version}),

8 comments

amiga386

Reply
anonymars  6 months ago

> Part of the fun of free software is that it might do terrible things

Yeah you lost me here

  • amiga386  6 months ago

    Freedom is the freedom to say rm -rf /* and accept the consequences.

    If you want to give someone else control over what you can and can't do with your machine, iOS is over there -->

    • anonymars  6 months ago

      False dichotomy.

      Why should I expect that merely installing a dictionary will silently opt me in to sending everything in my clipboard to some third party?

      You don't need some strawman tyrant to want it to require a user opt-in if that's what you really want to do

      5 replies →