> In response, Xiao pointed out that the package description can be read by any user who chooses to install the software, and it does mention the scan feature.
Wouldn't be the first (or last) time a Debian maintainer has pulled the "you should read the descriptions of all (hundreds) of your packages (most installed as dependencies)" card in response to a bug report.
If someone started reading all the package descriptions and READMEs we're meant to be thoroughly familiar with when Trixie was released a few days ago, they'd still be reading them.
jraph 4 hours ago [-]
“the plans and the demolition orders have been on display at the local planning office on Alpha Centauri for fifty of your Earth years. If you can't be bothered to take an interest in local affairs...”
For the uninformed: this is a quote from The Hitchhiker's Guide to the Galaxy.
wolfi1 2 hours ago [-]
is someone above 20 needs that explanation one should be worried about them
voidUpdate 1 hours ago [-]
There are probably a non-zero amount of people who are older than 20 who have not read the hitchhikers guide, or don't recall some parts of it. For example, me
Insanity 4 minutes ago [-]
Same here! Last time I read the books is about 17 years ago, and definitely didn’t remember that.
folkrav 17 minutes ago [-]
I’ve read this book exactly once, in my second language (English), 20 something years ago. Guess that makes me worrisome.
blendergeek 15 minutes ago [-]
That simply makes them one of today's lucky 10,000
You mean, for those who couldn't be bothered to click the link under a joke.
Y-bar 1 hours ago [-]
I understood the reference, but I’m also on a limited mobile plan at the moment and would absolutely not click on a YT or similar link.
In other words might have appreciated the explanation.
jacquesm 6 hours ago [-]
Such responses to me are proof of malicious intent.
avhception 5 hours ago [-]
While I think the response was not well thought out, it's still a far cry from "proof of malicious intent".
jacquesm 5 hours ago [-]
We're not going to agree on that. The response is clearly there to point to a fig leaf instead of saying 'oh, oops, we will make this more obvious in the UI', the software is working as intended: as a way to gain access to more data.
Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.
okasaki 4 hours ago [-]
[flagged]
jona-f 4 hours ago [-]
Nice, what a paradox. You are exactly displaying the lack of empathy that leads to answers like these being not necessarily malicious. There are many people who are so absorbed in their stuff that they lose common sense. I would even go so far as to say this is a general feature of the human condition. Call it toxic and I agree, but malice assumes an awareness that is often lacking.
jacquesm 2 hours ago [-]
He could have claimed lack of awareness until it was brought up. After that that excuse no longer holds.
lyu07282 2 hours ago [-]
No they could still be just incompetent/negligent rather than malicious. You also forget that they aren't running the translation services, they don't get any data, that's a separate third party you'd have to believe are in on it too. The more important question is if debian is gonna gkick them for it (they should).
jacquesm 32 minutes ago [-]
That's a separate third party, with which they can be in cahoots, in fact it may not be that they are 'in on it too', it could well be that they are in fact the originators and sponsors of the way this works. Anyway, regardless of who is the culprit it is clear that the response spells 'wont fix' and that translates (in my book at least, pun intended) into 'works as intended'.
JumpCrisscross 1 hours ago [-]
> it's still a far cry from "proof of malicious intent"
Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
account42 5 hours ago [-]
We can't afford that level of benefit of the doubt for the people that are supposed to guard us from exactly this kind of bs.
Intent or not, that developer is a risk to the project.
npteljes 4 hours ago [-]
Hanlon's razor applies here, I think. It's just ignorance, not malice. I doubt the maintainer has connection, or was pressured by these two random dictionary websites to include this - nor do I think that they gain any advantage of it.
People need to be on the lookout though, the xz incident showed that FOSS is indeed vulnerable.
poemxo 4 hours ago [-]
I think Hanlon's razor is outdated. Plausible deniability is the new meta. On top of that, the maintainer seems intent on not fixing the problem.
guappa 58 minutes ago [-]
Can the problem be fixed without making the software useless?
npteljes 27 minutes ago [-]
Absolutely. In my understanding and approach, it would need two smaller modifications:
1. making "scanning" (the clipboard capturing feature opt-in, with a huge notification for the implications
2. disabling the English-Chinese online translation plugin by default
jacquesm 36 minutes ago [-]
Sure. We've had dictionary software for decades.
This whole trend of adding a service to stuff that doesn't need a service is very annoying.
npteljes 3 hours ago [-]
I think that in today's polarized world, it's very much needed. I think we need to look at each other's fallibilities and failures, and not hate each other for it. But the issue needs to be taken care of, especially since it's known since 2009. It's ridiculous that everyone let if fly for so long.
jeltz 2 hours ago [-]
Yes, but it is a tricky situation when a common tactic is to pretend to be ignorant. For example by "just asking questions". We need more patience and respect in this polarized world but at the same time there are a minority of malicious actors who intentionally abuse any assumption of good faith given
npteljes 1 hours ago [-]
Yeah, I agree, it's tricky. And besides, the clipboard leak should be fixed for sure, malice or not. It's strange that it has been known for so long.
DonHopkins 2 hours ago [-]
Oh sure, the maintainer refuses to fix the problem because he's ignorant, not malicious, and he just hasn't had time to read any of the opinions of so many security professionals that he fucked up big time, and if he did bother reading them, he thinks he know better than they do, so he ignores them.
Also Trump is only executing a federal takeover of the DC police because he's ignorant, not because he's malicious. And Putin only invaded Ukraine because he's ignorant, not malicious. Got it.
blackhaz 4 hours ago [-]
But it cannot be adequately attributed to ignorance, so no, Hanlon's razor does not apply. There is an obvious security breach.
npteljes 3 hours ago [-]
I definitely consider it a security breach. But I do still think it's ignorance. Debian maintainers let it slide since 2009, so for at least 16 years now (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731) - are they also malicious? I just think that not enough fucks were given.
jacquesm 34 minutes ago [-]
It isn't rare at all for bugs to surface many years later and that doesn't mean whoever was responsible for maintenance to be malicious, it is if the bug was planted on purpose, and there are some examples of that (the xz library saga, for instance). Of course, you could argue that that too was incompetence but that's not how this works: lack of oversight by others does not imply malice on the part of those others for failure to catch the issue.
Stuff like this can fly under the radar for a long time because lots of people will assume how it works without actually verifying that it really works like that.
npteljes 26 minutes ago [-]
I completely agree. Also, these people have a lot of other assignment, as I imagine. I, for one, have certainly let things slide in the past that ended up biting me, for whatever reason, malice not included.
vorgol 4 hours ago [-]
> pressured
Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.
npteljes 3 hours ago [-]
>nor do I think that they gain any advantage of it
frumplestlatz 3 hours ago [-]
Willful negligence is, at some point, malicious.
Lockal 3 hours ago [-]
There are dozens of chrome extensions that translate (read: submit to untrusted server) on hover / highlight / context menu / textarea edit / etc. It is implied, that user acknowledges this functionality and accepts the risk. This includes untrusted server (because that's how they proxy requests to Google/Bing/Yandex Translate without exposing API keys).
Does being security illiterate equal malicious? Debatable.
jeltz 3 hours ago [-]
Not sure if I would call it malicious but I would call it gross negligence.
oblio 2 hours ago [-]
A moderately popular Chrome extension is frequently bought for tens of thousands of dollars for various purposes, frequently malware injection. They contact extension makers.
I think the bar for trust in terms of evil intent is on the floor.
DonHopkins 2 hours ago [-]
>Security illiteracy? Yes.
Security illiteracy is admitting you were wrong and changing it when somebody points it out.
>Malicious intent? Probably no.
Are you graciously making excuses for malicious intent without considering all the facts? Probably yes.
>Does being security illiterate equal malicious? Debatable.
Refusal to admit there is a problem and fix it, or carrying the water for people who refuse to admit they made a mistake, is deliberate maliciousness, not security illiteracy. Not debatable.
Lockal 1 hours ago [-]
Illiterate is "inability to read and write" by definition. I know people who submitted bug reports requesting: "hi, I want to use your API, please add wildcard origin header", after getting explanation they propose "ok, JUST add my domain, I'm an opensource contributor, trust me". They ask to remove security features, recognizing them as security features, but only caring about their convenience (like "don't enforce 2fa", "don't warn about untrusted links"). They don't know about defense in depth and even if you explain them, they will skip your explanation, because they can't read.
guappa 60 minutes ago [-]
The fix is to remove the package…
jacquesm 37 minutes ago [-]
And to scan all of the other packages for phoning home without very explicitly informing the user about it and kicking them out if they don't.
rusk 4 hours ago [-]
Such a response is not considered a valid defence under GDPR. You cannot sign away your right to privacy any more than you can sign away your right to life.
JumpCrisscross 1 hours ago [-]
> You cannot sign away your right to privacy any more than you can sign away your right to life
You can literally do both in the EU with informed consent.
jacquesm 12 minutes ago [-]
No, you can't.
Informed consent is (1) always going to be specific and (2) ends when the legal base for procession is no longer supported.
JumpCrisscross 9 minutes ago [-]
Struggling to see the relevance of both constraints when it comes to assisted death.
CorrectHorseBat 5 hours ago [-]
Malicious intent written in the package description? I would think that really unlikely.
I think it's just a cultural difference. Sogou, a super popular Chinese input program for Windows iOS and Android does the same with everything you type and nobody cares.
jacquesm 5 hours ago [-]
I'd say that having terms of service that document your shady behavior whilst at the same time not making this obvious in the UI in any way is a tried and true (corporate) malware pattern.
Just because Microsoft did it that doesn't make it a valid defense, in fact it shows the opposite (after all, they too did not have the best interests of their users at heart). The fact that the recipient of the data sits on the other side of the GFW and that clipboards can contain very interesting data you really should wonder about the intentions of the author, they do not get the benefit of the doubt. In fact, open source software that to all intents and purposes looks like it runs locally but pumps your (private) data out without your consent is a very large red flag to me: it gains access to data that otherwise likely would never be found in the wild. At a minimum this is a fairly serious GDPR violation.
npteljes 4 hours ago [-]
I think so too. It's cultural difference, and ignorance at most. I doubt the maintainer has control over that two random dictionary websites, or was tasked by them to do this or anything like that. They are just a different person, and they didn't give a fuck.
DonHopkins 2 hours ago [-]
[flagged]
npteljes 2 hours ago [-]
Yes, I do feel strongly about attributing malice to someone who I think didn't warrant it. Especially do I think that they are not malicious, because of the fact that they don't admit to their doing as a security hole, but as functionality. And I do care about security a lot - if this was on my software repository, I'd frankly pull the package until it's fixed.
>why it's not malicious to write and distribute a program that sends passwords and other sensitive information over unencrypted http in 2025
One of the reasons is that it has been like that since at least 2009, so for 16 years.
I'm not defending the bug. It's a glaringly stupid thing to do, and distribute, and it questions the competency of everyone involved. I do maintain that it's not malicious intent.
chainingsolid 2 hours ago [-]
I install stuff from Debian's repos for 2 reasons. Convience & trust. And while people do complain when maintainers modify packages behavior, I think people would rather have the send my clipboard contents to someone else to be opt-in. Instead of violating their trust!
zahlman 1 hours ago [-]
If this level of modification is required for a package to fit in with the distro's philosophy, maybe better not to include it at all.
fodmap 4 hours ago [-]
I do agree with your point, specially when it is not the first time a package maintained by that guy does non-expected behavior like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010165 (Inappropriate package, modifies other package's (conf) files, should be removed from archive).
wat10000 4 hours ago [-]
That doesn’t even address the problem! The package description does mention the scan feature, but not the automatically-send-it-to-a-server-in-plain-text feature.
Sure, if you read the description and the list of plugins and correctly guess how this plugin is implemented, then you can deduce some of it.
2 hours ago [-]
bayindirh 5 hours ago [-]
"RTFM!" comments comes in flavors and bears nuances. In this case, as another commenter has pointed out, the answer smells fishy.
I have been told to "RTFM!" countless times in many places. Some of them were legitimately the correct answer in that context, in hindsight. Some were knee-jerk reactions like this.
Debian's discussion culture might be a little edgy sometimes, but this has nothing to do with Debian.
teiferer 5 hours ago [-]
[flagged]
danieldk 4 hours ago [-]
Except that the description does not tell you that it ships off your clipboard unencrypted to Chinese servers.
> of course a dictionary program will include code to talk to dictionary-providing web sites.
I wouldn't say that is just a given, if I've apt-get installed a dictionary I might expect that is the whole thing on my machine. It's not like we haven't had dictionaries in physical books for centuries...
It seems like stardict is very much an online thing, which I suppose could be legit, but the whole thing does seem like a trap.
kazinator 6 hours ago [-]
I's a generational thing. I would guess that someone who expects applications to phone home, on the off chance that they are actually otherwise local, is likely someone pretty young who hasn't lived in a world of locally installed software that doesn't talk to anything.
If we search for the author's bio, that seems to check out. They are a well-credentialed CS person; obviously they know that dictionary programs such as translation pop ups can have offline dictionaries, and mentions that. But they are a person of their time with an according set of "of courses".
Today, an application being locally installed and works with offline data is like a a statement of quaint chivalry, promulgated by a few remaining Don Quixotes of computing. (It saddens me to say. So much that this analogy brings me insufficient amusement.)
yorwba 2 hours ago [-]
For many languages, there simply isn't a comprehensive dictionary file that could be redistributed legally as part of a free-software offline dictionary application. You either settle for a few thousand words put together by a handful of volunteers, or you redistribute a commercial dictionary illegally, or you have to connect to an online service to provide sufficient coverage legally.
hdjrudni 7 hours ago [-]
Even if it's "legit", it shouldn't be using unencrypted HTTP.
sam_lowry_ 5 hours ago [-]
Why? Should it use the dict protocol, then?
rootnod3 5 hours ago [-]
How about HTTPS?
mattmanser 5 hours ago [-]
Because without HTTPS it's trivial to MITM that clipboard content if they're always sending it via http.
People in your coffee shop on the same WiFi could read it.
I get some people don't realize that's how TCP/IP works and the firesheep stuff all happened 15 years ago. But a bit worrying to see a frequent HN contributor challenging that.
That's why we now push for Https everywhere.
__MatrixMan__ 1 hours ago [-]
Https everywhere is a good start, it keeps the other plebs at the coffee shop out of your business. But it's still open to anyone with enough power to coerce a CA, which is the more concerning sort of adversary anyhow. So yes, https everywhere, but let's not stop there.
dannyw 1 hours ago [-]
Yes, but we have widely deployed efforts like certificate transparency, and cert pinning.
The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.
The second allows apps to only trust specific certs or CAs, ignoring system root of trust.
I just want to clarify HTTPS in practice is quite secure.
__MatrixMan__ 31 minutes ago [-]
I'll not let go of my distaste for roots of trust in any form, but you likely have a point. I'll have to learn more about this transparency thing.
pantalaimon 4 hours ago [-]
The venerable ding does well with a local dictionary - and it's packaged in Debian too
That stood out to me as well. It's a sad world when people expect even simple functionality to be a live service.
mayama 5 hours ago [-]
At some point I started running gui apps without network access, first with firejail and then bubblewrap. This was before flatpak became a thing. I still use collection of bash scripts that built up over time to run applications in sandbox.
One might even expect a program to use a common Unix preinstalled dictionary.
dkiebd 4 hours ago [-]
"words" is nothing but a list of words. It does not contain definitions for those words, which is what one expects from a dictionary.
waterhouse 4 hours ago [-]
Hmm, you are correct.
yjftsjthsd-h 7 hours ago [-]
Dumb question... Could you do a per-word bloom filter to do online spell checking without actually disclosing the words you're checking?
markasoftware 7 hours ago [-]
a bloom filter look up is by hash, and given the relatively small set of words in english, it would be pretty easy for the server to reverse the hash sent to it. Thus a bloom filter wouldn't be very private.
Additionally, a typical spell checker feature is to provide alternative, correct, spellings, rather than just telling you whether a word is correctly spelled.
I bet there's some cool way to do this with zero-knowledge or homomorphic cryptography though!
Sesse__ 2 hours ago [-]
> a bloom filter look up is by hash, and given the relatively small set of words in english, it would be pretty easy for the server to reverse the hash sent to it. Thus a bloom filter wouldn't be very private.
The typical use of a Bloom filter is to have it locally as a prefilter, not to send hashes to the server.
notpushkin 3 hours ago [-]
There’s also a way simpler way: send a hash prefix to server, get a list of matches. Google Safe Browsing does this with URLs, for example.
shakna 6 hours ago [-]
You should be able to do a K-means type thing. Where your query is an entire group, and you grab the field from the chunk locally.
But you might still be able to use some frequency sampling to predict the words used, unless those chunks are very very carefully constructed.
account42 5 hours ago [-]
> I bet there's some cool way to do this with zero-knowledge or homomorphic cryptography though!
The code for which would almost certainly be larger than a fully local dictionary for any human language.
bmacho 3 hours ago [-]
> a typical spell checker feature is to provide alternative, correct, spellings, rather than just telling you whether a word is correctly spelled.
I personally don't use that one, for me the red underline is enough.
yk 3 hours ago [-]
There are two scenarios I believe, first accidentally sending a (decent) password, and second the server not learning what you actually look up.
For the first case, sending a hash would prevent the server from learning a password that is not in the dictionary, something like password5 would hash to gibberish.
For the second, the server needs to know what to actually send back. I believe Google's malicious website check works (or used to) by truncating a hash an then just sending the answer for some 128 or so websites and have the browser figure out which of them the user wanted to visit. That creates some deniability over witch website you actually visited and should be also usable to prevent the server from learnering what you actually looked up.
So yes, I think you could design a more secure Protokoll. Though general security disclaimer the people trying to read your letters probably spend more time attacking than I spend writing this post.
CGamesPlay 6 hours ago [-]
Just want to mention that the feature in question here is for translation, not spell checking.
wat10000 4 hours ago [-]
This sort of crap makes me sure I’ll be employable forever.
I may not be on top of the latest trends, but at least I understand how computers work and what they can actually do.
paffdragon 3 hours ago [-]
Somewhat related, I was quite surprised when I discovered that my Samsung phone was sharing ALL my clipboard with all my other Samsung devices, including passwords copied into the clipboard, and even preserving the history. I can't remember if the sharing was enabled by default or I opted in by accident. I assume it also goes through their servers to reach my other devices. I could disable the sharing, but still can't turn off the clipboard history, even switching to a different keyboard, the Samsung keyboard still captures the clipboard and saves the history, when I switch the keyboard to Samsung everything is there... I guess my next phone won't be Samsung.
dannyw 1 hours ago [-]
Yes, and we know at least Samsung TVs sell your details and what you watch to marketers and everyone.
Samsung’s privacy policy is the same for phones and TVs.
xpressvideoz 16 minutes ago [-]
Your clipboard data does NOT go through Samsung's servers. The description of the feature clearly says it only works when both devices are on the same Wi-Fi network. You're just an impatient paranoid, easily jumping to conclusions. You should be ashamed for spreading false information.
paffdragon 7 minutes ago [-]
> You're just an impatient paranoid, easily jumping to conclusions. You should be ashamed for spreading false information.
Thank you for your kind words, please look at the HN comment guidelines when you have a chance. Your point would have been an excellent correction if shared thoughtfully, but it's all negated by the name calling and personal attacks.
nullify88 2 hours ago [-]
I usually suggest not to create or login with a Samsung Account on Samsung devices. It's just another opportunity for a company to get at your data.
eadmund 2 hours ago [-]
The Wayland framing at the end strikes me as misleading. This gets it exactly right:
> Or maybe StarDict would have started asking for special permissions to let it work on Wayland, and users would have accepted those defaults the same way they currently do.
Yes, that’s what it would do. Its installer might even configure that special permission automatically, without user intervention.
Malware’s gonna mal. Wayland might help defend against some things, but it’s not going to defend against packages installed as part of the distro.
heresie-dabord 1 hours ago [-]
It is not misleading, Wayland is better than Xorg in this particular respect.
But the other concern is part of the systemic problem. Consider that the data that was transmitted was sent in the clear!
> StarDict ... while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers.
> Any user who did read the description of the package, and who knew what the YouDao plugin would do, might nevertheless expect the resulting communication to at least be encrypted. But the plugin actually reaches out to its backend servers — dict.youdao.com and dict.cn — over unsecured HTTP. So, not only are these servers sent any text the user selects, but anyone who can view traffic anywhere along its path can see the same thing.
Elucalidavah 7 hours ago [-]
Querying a local dictionary on each clipboard seems okay; having a feature to request remote dictionaries is okay; making it easy to combine both is dubious but understandable (would be better off as a special flag); but having them combined by default? That's pretty much malicious.
CorrectHorseBat 6 hours ago [-]
[flagged]
dd_xplore 5 hours ago [-]
It's malicious intent! The developer isn't a kid, they're releasing the software for world wide use. It's a simple thing, do not send private data to remote servers without explicitly asking the user!
blackhaz 4 hours ago [-]
I'd go one step further and say it's a blatant Chinese SIGINT.
CorrectHorseBat 5 hours ago [-]
In your eyes maybe (and mine for the record), but different people have different values and expectations of what is privacy.
account42 5 hours ago [-]
If that was an acceptable response we shouldn't accept people from those cultures into positions where they can affect our privacy. Or we can just stop using "cultural differences" as a bludgeon to whitewash bad behavior.
lupusreal 4 hours ago [-]
The "Chinese values" excuse doesn't fly. We're not talking about a random Chinese person, we're talking about a Debian packager. Debian packagers should have values in line with the Debian project's ethos. It's difficult to imagine how somebody to whom Debian's values are alien could even accidentally stumble their way into the position of being a Debian packager.
CorrectHorseBat 4 hours ago [-]
Don't get me wrong, I'm not saying it's acceptable for a Debian packager, but I think that it's much more likely than malicious intent.
>It's difficult to imagine how somebody to whom Debian's values are alien could even accidentally stumble their way into the position of being a Debian packager
It's not for me.
jeroenhd 5 hours ago [-]
There definitely seems to be a cultural difference when it comes to privacy expectations from Chinese companies and western companies. Doesn't mean it's okay to do this kind of thing in a Debian package, of course, but I can understand how this could've happened.
exe34 4 hours ago [-]
That's like saying Afgans have a different idea of consent.
komali2 2 hours ago [-]
Not really because "Chinese" is being used here as an indicator of nationality, not ethnicity.
I disagree with using it that way because it feeds into the CPC's propaganda mission to conflate the ethnicity of "Han" with citizenship of the PRC, which aids their cultural imperialism ('Taiwan is "Chinese" and we are "China" so therefore people in Taiwan are our people!'). Also the definition is being stretched to include anyone with even the vaguest ethnic ancestry from within territory ruled by the PRC or historic empires ("China" is a word that basically means "empire")
Anyway I agree that people from the PRC are more used to throwing up their hands at invasions of privacy since the government having total insight into your life is a given there, and to many a positive thing (they may believe it keeps them safe). I also believe that growing up as one of one billion people gives one a sense of useless anonymity - who cares if someone sees your clipboard, there's just too many people for it to matter.
CGamesPlay 8 hours ago [-]
It's really difficult to not assume malice with something like this. From the maintainer:
> The stardict has "Scan" function, when user enable this function,
after user select some text, it will trigger stardict do translate for this selected text... Why the user selects some confidential data to query dictionary?
netsharc 5 hours ago [-]
Would be funny if they couldn't tell that the text in a foreign language is confidential... maybe it's stamped "秘密".
"Sir, we have intel, the enemy is having translation server errors."
avhception 6 hours ago [-]
While I have a lot of respect for the effort that goes into Debian, I always disliked this kind of "maximalism" from the package manager. Oh, the user wants "foo"? Let's install every software that might be even remotely useful somehow in combination with foo! Oh there is a network daemon in there? Fantastic, let's start it immediately!
I know that there is a flag to disable the installation for "recommended" packages. I just think the default is a disservice here.
bayindirh 5 hours ago [-]
I'll politely disagree.
First of all, "Recommends" is reserved for packages which enhance the functionality of the package you're installing. Without these the package will not break, but some very useful functionality might be disabled.
The package-class you're talking about is "suggests", IOW, "these packages might also be useful for you, wanna look?" section. These are not installed by default already.
On the other hand, apt and aptitude provides previews before doing something. You don't have to accept them. In aptitude's case, you can fine tune before the final commit, even.
There's a tension. Minimalism vs. user utility. Somebody told in Debian 13 release comments that "Debian will never be a end-user friendly distro". Now, you're saying that packages shouldn't install recommends by default.
What should Debian be? "An IKEAesque DIY distro", or "A more user friendly, yet very stable and vanilla distro". I vote for the latter, personally. Plus, as I told before, advanced users are free to use what they want to change.
If you want to change the default, the configuration files are at /etc/apt/conf.d/. If you want to disable feature for once, it's --no-install-recommends.
avhception 5 hours ago [-]
Well, as a user of one of the more "IKEAesque" distros, I guess I have made my choice ;)
And that's perfectly fine, it just means I don't align with Debian on this one. And that freedom is what Linux is all about, I guess. So it seems it's working as intended :)
Edit: And I totally get that users might often want that kind of maximalism. It's just not for me. Although starting network daemons by default might sometimes be a bridge too far, or the case described in the article here.
bayindirh 5 hours ago [-]
While I'll argue that Debian's network daemons come with very sane defaults and an accompanying AppArmor profile to prevent both network disruptions and attack surface increases, I'm certainly not with the developer of StarDict. That thing smells malicious.
...and this is what Debian Testing is actually for. To catch these types of issues.
Of course, people are free to select what they resonates with them. I'm not against more DIY distributions (I'm also contemplating using a LFS VM to explore things even further, but time is an issue), and I'm not against your personal choices. I just wanted to note the tension, and share my observations about Debian.
account42 5 hours ago [-]
I agree that recommends makes sense but this is a bullshit argument:
> On the other hand, apt and aptitude provides previews before doing something. You don't have to accept them. In aptitude's case, you can fine tune before the final commit, even.
You can't expect the average user to understand the entire dependency tree and read the description of dozens of random packages that the average program pulls in. RTFM is not a valid excuse for bad defaults.
bayindirh 4 hours ago [-]
I don't expect average user to read an entire dependency tree. However, apt and aptitude does a relatively good job of explaining their actions' reasons.
Let me rephrase:
1. Installation of recommended packages is a good default for the average user, because it provides functionality they expect.
2. If the user is not happy with what's happening, changing defaults are not hard.
IOW, if you don't like how your system behaves, read the documents. Otherwise, I argue, current defaults is good for the benefit of the newcomer and average Linux user. If you are at a point where you are caring which package is doing what, you're leaving "average user / beginner" realm.
In the case of StarDict, as I noted elsewhere, I think the developer's answer is fishy, or ill-informed at least.
ethan_smith 2 hours ago [-]
This is a classic tension between convenience and security - Debian's "recommends" defaults were designed for a pre-cloud era when network connectivity wasn't assumed and local functionality was prioritized over potential security boundaries.
account42 5 hours ago [-]
The other extreme where you are missing expected functionality because it's optional isn't any better. The problem is not that recommended dependencies are installed by default, it's that package recommendations should perhaps be more conservative. Note that Debian already differentiates between recommended dependencies (which most users should want) and suggested dependencies (related functionality or enhancements that are not relevant for every user).
rfoo 6 hours ago [-]
For me it's my most used super long command line flag.
For a brief moment `--break-system-packages` surpassed it, then I discovered `pip` accepts abbrev flags so `--br` is enough, and sounds like bruh.
IshKebab 6 hours ago [-]
> --break-system-packages
You can avoid that clusterfuck using `uv tool install`. E.g. `uv tool install pre-commit`.
zahlman 52 minutes ago [-]
It's also not hard to just manage a damn virtual environment yourself.
hiAndrewQuinn 5 hours ago [-]
>This would normally not be much cause for concern; of course a dictionary program will include code to talk to dictionary-providing web sites.
Hey, an area I finally know something about. It depends on what you're trying to do.
The slimmed down version of a Finnish dictionary I provide in `tsk` [1] weighs in at around 30 MB, for about 250,000 Finnish words. It's small enough that I embed the whole dictionary directly into the binary and reconstruct the prefix search on the fly every time the user starts the app.
However, the much larger database which contains things like lemmatization and etymology information easily balloons up to many, many gigabytes in size. My problem domain is providing Truly Instant Lookup, keystroke by keystroke, so I can't really get around this level of memoization. The work to figure all this out was sufficient that I decided to make future versions a paid product instead [2].
Most other use cases would just call out to a server, because it's silly to think most people are going to download a giant database for that use case alone. A hybrid approach could also make a lot of sense, eg cache the most common 10,000 words locally and call out for the next 1.5 million, which are statistically extremely rare.
Your link is about privacy issues in upstream software that Debian hasn't sufficiently worked around yet. The main advantage of the Distro model (as opposed to developer-maintained package ecosystems) is exactly that there is someone protecting you from questionable software "features".
amiga386 2 hours ago [-]
I don't think Debian intentionally shields you from privacy-invading software. Other distros may differ on this point.
There's also no insistence on privacy in the Debian Social Contract or DFSG (not that these would be appropriate places for it, they're mainly about licensing)
GrayShade 4 hours ago [-]
Who protects you when the packagers decide to trust a shady CA (adding it to the root store) because it's used by the distro's infra?
account42 3 hours ago [-]
Is this supposed to be some kind of gotcha argument? Against what?
There is nothing in that list anything like as bad as this. The next worst is Chromium which is no surprise.
fsflover 6 hours ago [-]
Are you saying it's an ordinary behavior? There's nothing coming close in your links, especially in Debian.
blackhaz 4 hours ago [-]
If I would be deciding, I would kick-ban StarDict immediately from the distribution, and scrutinize i) the maintainer for all the packages he has ever touched, ii) StarDict authors for allowing such a default behavior in their system.
qwertox 5 hours ago [-]
> StarDict on Wayland doesn't have this problem, because Wayland prevents applications from being able to capture text from other applications by default.
StarDict on Wayland has a different issue, it causes a segfault.
Sat, 02 Aug 2025: Bug#1003710: stardict crash in gnome with message Segmentation fault
Yeah, I don't really know much about Wayland but.... That does not sound correct to me... Wayland has a copy/paste protocol, and my 5-minute web search indicates that it works much like the X11 copy paste protocol, each application takes care of what will be sent when pasted. then some other application requests a paste, the display server connects the two they negotiate a format and the "copied" data squirts across. that is to say Wayland applications can totally capture text from other applications.
Now if the article meant to say Wayland applications are unable to capture arbitrary text via mechanisms other than then the copy paste protocol I would say fair enough, but it sounds like the problem application is using the normal X11 copy paste protocol. so I don't see how that statement is relevant.
account42 5 hours ago [-]
Besides, capturing text from other applications is very much required for various utilities. It's as much of a security feature in Wayland as turning off your computer and never turning it back on is.
WhyNotHugo 4 hours ago [-]
There is a separate, privileged, interface that this kind of utility can use.
Meanwhile, the other 99% of applications don't need unlimited permissions.
account42 3 hours ago [-]
Those privileged interfaces cover known use cases but don't allow for novel tools - or even full functionality of existing tools in many cases.
You also underestimate how many programs make use of functionality that could be abused in some way. And unless you lock all those interfaces down it's all security theater. Who cares if the display protocol disallows copy paste snooping when there are a million different ways to get the the memory of other processes or the files that they store sensitive information in. And such a locked down ecosystem is antithetical to free and open computing.
I don't use my computer to be secure, I use it to get shit done and and to have fun. I'm not going to accept approaches to security that interfere with that any more than I will accept the same in real life. There aren't any bars over my windows because we have functioning police to deter criminals. I don't need lab tests done for all the food I buy because we have regulations that ensure food sold is generally safe to eat. I go outside without body armor and weapons even though someone could theoretically kill me. 100% security is always a tradeoff for quality of life.
aragilar 3 hours ago [-]
But then StarDict would still be sending your selections out.
Personally I think the X11/Wayland distinction is moot, given this appears to be an explicit feature of StarDict, and it seems more likely it just hasn't been ported to Wayland yet.
cik 5 hours ago [-]
My personal security tolerance means that I have multiple levels of firewalls and blockers: network, dns, device, and browser. It's also why I find myself scanning my DNS traffic (pihole), and running OpenSnitch.
Whether malicious or not, to me isn't the point. The point is that I, as an individual deserve the illusion of control over my data and communication. I have neither the time, nor inclination to read all release notes. Furthermore, as someone who has spent enough time writing code - I recognize that humans make mistakes and don't always update them with salient details. All the automation in the world, and AI (yes, I've tried AI for release notes) just doesn't help.
qwertox 5 hours ago [-]
"If user don't like one of these plugin, he can disable it by himself." f.u.
londons_explore 2 hours ago [-]
> According to Debian's package popularity contest statistics, only 178 people have StarDict installed
A problem for those 178 people... But on a global scale this isn't really a concern.
frumiousirc 2 hours ago [-]
Not everyone participates in the popularity context. By some estimates about 1% of users do: There are about a quarter million popcon responses in Debian's recent popcon graphs. Absolute number of users is hard to estimate but I find one estimate of 20-50 million Debian users. So taking 1% as a lower bound, at least 18k people use StarDict in Debian. I don't know how to guess the number that use StarDict in another OS.
M95D 41 minutes ago [-]
In my Windows, it wouldn't be a problem. The firewall I use would pop up for any new program that tries to connect somewhere.
But Linux doesn't have a per-program firewall.
... and even if it did, there's no way to do popups/questions from the kernel,
... and even if there was, most programs would just run curl or wget or openssl. That would mean a popup for each and every connection attempt through those programs.
sbinnee 3 hours ago [-]
This post caught my eyes immediately because I have been sort of benefiting from StarDict project. Although I do not use it directly. I have been using sdcv, a CLI tool that reads StarDict dictionary. It’s minimal and serves me well.
themafia 6 hours ago [-]
> Part of the justification for moving to Wayland over X11 is to make security vulnerabilities relating to one application spying on another more difficult to introduce.
Yea, because, how else am I going to run shady poorly maintained dictionary software that ignores system settings from a hostile country? What kind of world are we living in with X11?!
The software could just as well hook into your downloads folder and transparently "translate" any downloaded text or PDF file for you. In which case the method by which pixels arrive on your screen would not be relevant.
How is this an X11 vs Wayland issue and not a distribution hygiene issue? Why is this package even a part of the distribution? In the desire to force one desktop system to stop existing, for whatever reason, I think they've missed the broader point.
npteljes 3 hours ago [-]
I agree with you, this is not an X11 issue, it's a "why are we letting software like this in the repository" issue. The kind of lax attitude towards security I'd expect from a random AUR package, not in the Debian repo.
Which is interesting (as according to the LWN article) it seems like the general issue of what is sent is an ever-present one for StarDict, as apparently the earlier issue was around the defaults for all dictionaries, whereas the new issue is around a specific plugin.
Personally, if I was using (or a maintainer of) a dictionary tool which autoreads the clipboard (or any dictionary tool), I'd be checking what it is doing and considering whether it is what I would want to use.
npteljes 3 hours ago [-]
For sure. I hope that due to the noise, they finally clean this up for good.
akimbostrawman 5 hours ago [-]
>The software could just as well hook into your downloads folder
correct which is why wayland is only one piece in improving security, you still need proper sandboxing
lupusreal 4 hours ago [-]
By the time you have something that allows you to safety run malware you have a usability nightmare.
guappa 5 hours ago [-]
You basically need to call a vote or ask the tech committee to rule otherwise if the maintainer says it's fine.
It's not really a bug if it's an advertised feature you don't like, so security team cannot do much in theory.
account42 4 hours ago [-]
That's a bad policy then.
guappa 1 hours ago [-]
Write a new one and post it on debian-vote and see if it gets approved :)
Inityx 4 hours ago [-]
> But the plugin actually reaches out to its backend servers — dict.youdao.com and dict.cn — over unsecured HTTP.
What year is it?
jeltz 2 hours ago [-]
I assume it must be 2015 at most because my first job in 2008 ran everything, including images, on HTTPS. But I can imagine some last holdpouts 7 years after that.
sugarpimpdorsey 5 hours ago [-]
How would you like to be the guy that reported this 10 years ago and had the bug closed on some technicality:
Given enough eyeballs, all bugs are closed as WONTFIX.
account42 4 hours ago [-]
It's not a technicality, the package was removed from Debian so there was no reason to keep the bug report open. And it was reopened by a debian developer when the package was reintroduced a year later.
That's not an excuse for why it wasn't dealt with until now but what you are suggesting didn't happen.
3 hours ago [-]
porridgeraisin 8 hours ago [-]
The easiest solution seems to be to patch it to use offline dictionaries. merriamwebster.txt is 24MB, not a big deal.
stardict --install en_US hi_IN ta_IN
For a trilingual person, just 100MB of storage. Problem solved no?
Edit: it's a full dictionary with all sorts of information. Example entry:
2. Self-abandoned, or given up to vice; extremely wicked, or sinning
without restraint; irreclaimably wicked ; as, an abandoned villain.
Syn.
-- Profligate; dissolute; corrupt; vicious; depraved; reprobate;
wicked; unprincipled; graceless; vile.
-- Abandoned, Profligate, Reprobate. These adjectives agree in
expressing the idea of great personal depravity. Profligate has
reference to open and shameless immoralities, either in private life
or political conduct; as, a profligate court, a profligate ministry.
Abandoned is stronger, and has reference to the searing of conscience
and hardening of heart produced by a man's giving himself wholly up
to iniquity; as, a man of abandoned character. Reprobate describes
the condition of one who has become insensible to reproof, and who is
morally abandoned and lost beyond hope of recovery.
God gave them over to a reprobate mind. Rom. i. 28.
amiga386 1 hours ago [-]
This article smacks of paternalism.
Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy
Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.
Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.
The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.
This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.
Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):
Package: stardict-plugin-network-dictionary
Description: [...]
*Warning*
* The query word will send through the network use plain-text in this plugin!
* Please do *NOT* selects any confidential data to query dictionary
* When enable "Scan" function on stardict, the selected text will sended on the net at once.
Package: stardict-plugin
Suggests: [...]
stardict-plugin-network-dictionary (= ${binary:Version}),
DonHopkins 3 hours ago [-]
>The reality is that Linus's law ("given enough eyeballs, all bugs are shallow") only holds up if people are looking — and if, once they have looked, and have reported things, the people who have taken up maintenance of the software actually agree that there is a problem.
The reality is that Linus is not to blame for "Linus's Law", because Eric S Raymond made it up and misleadingly attributed it to him, and it's unmitigated bullshit (just like so many other of ESR's fallacious racist, sexist, homophobic, Islamophobic beliefs), which was refuted a long time ago by HeartBleed and many other incidents.
Theo De Raadt pinpointed the irony of trusting ESR's theatrical security claptrap about "many eyes":
"My favorite part of the "many eyes" argument is how few bugs were found by the two eyes of Eric (the originator of the statement). All the many eyes are apparently attached to a lot of hands that type lots of words about many eyes, and never actually audit code." -Theo De Raadt
>tptacek on May 14, 2023 | parent | context | favorite | on: The Cathedral and the Bazaar (1999)
>Just taken on its merits, I think a case can be made that this is one of the most overrated pieces of technical writing of the last 25 years. What's true in it isn't interesting ("the importance of having users", "release early release often") and what's interesting isn't true ("Linus's law" being perhaps the most notorious example). Much of the insight is taken directly from Brooks. The whole piece has as its backdrop the development of Fetchmail, which is not a well-regarded piece of software.
>What's notable about Cathedral is its timing; it did capture the zeitgeist of what was an important moment in the computing field, the moment where we transitioned from 386bsd-style hobby projects to an industry run on free and open source software. But Raymond isn't the reason why any of that happened, and much of his description of that moment is faulty; the rest of it is just a retrospective of the engineering decisions involved in the writing of a midlist mail processing utility (fetchmailrc syntax, password encryption, the now-largely-irrelevant distinctions between MDAs and MTAs).
>Even the high-level organizing notion of "cathedrals" and "bazaars", which should have been a lay-up, hasn't really proven out.
>In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".[5]
>The persistence of the Heartbleed security bug in a critical piece of code for two years has been considered a refutation of Raymond's dictum.[6][7][8][9] Larry Seltzer suspects that the availability of source code may cause some developers and researchers to perform less extensive tests than they would with closed source software, making it easier for bugs to remain.[9] In 2015, the Linux Foundation's executive director Jim Zemlin argued that the complexity of modern software has increased to such levels that specific resource allocation is desirable to improve its security. Regarding some of 2014's largest global open source software vulnerabilities, he says, "In these cases, the eyeballs weren't really looking".[8] Large scale experiments or peer-reviewed surveys to test how well the mantra holds in practice have not been performed.[10]
>Empirical support of the validity of Linus's law[11] was obtained by comparing popular and unpopular projects of the same organization. Popular projects are projects with the top 5% of GitHub stars (7,481 stars or more). Bug identification was measured using the corrective commit probability, the ratio of commits determined to be related to fixing bugs. The analysis showed that popular projects had a higher ratio of bug fixes (e.g., Google's popular projects had a 27% higher bug fix rate than Google's less popular projects). Since it is unlikely that Google lowered its code quality standards in more popular projects, this is an indication of increased bug detection efficiency in popular projects.
Datamation: Does Heartbleed Disprove ‘Open Source is Safer’?
>Taken together, Segglemann’s and de Raadt’s comments also suggest that assuming no special effort is needed to discover bugs is a mistake. Perhaps more attention needs to be paid to formal reviews and software testing than FOSS traditionally has managed. The fact that FOSS development often involves remote cooperation does not mean that log-in test or in-person testing sessions could not be added to many project’s development cycle.
>What Heartbleed proves is that FOSS needs at to examine the unexamined assumption it has held for years. Greg DeKoenigsberg, a vice president at Eucalyptus Systems, summed up the situation neatly on Facebook: “we don’t put enough eyes in the right places, because we assume [bug-detection] will just happen because of open source pixie dust — and now we’re paying the price for it.”
>Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL.
zahlman 40 minutes ago [-]
This is a lot of effort just to make the point that you don't like ESR.
angled 49 minutes ago [-]
A great comment, but your brief mention of fetchmail brought back a flood of memories of .fetchmailrc’s and watching dots on screen as I downloaded my mail from POP3 servers over all sorts of horrible baud rate modems, before I sensibly switched to sending and retrieving my email via UUCP.
hulitu 7 hours ago [-]
[flagged]
qwertox 5 hours ago [-]
When you copy a password from a text editor, or some text from a webpage, does Chrome or Firefox send this to their servers?
Not even /s makes sense here.
charcircuit 7 hours ago [-]
Meanwhile on Android:
- The clipboard can not be read by backgrounded applications
- Apps by default are unable to use HTTP
cdmckay 7 hours ago [-]
Meanwhile on Wayland:
> StarDict on Wayland doesn't have this problem, because Wayland prevents applications from being able to capture text from other applications by default.
fc417fc802 6 hours ago [-]
Seems irrelevant to me. I shouldn't need to defend against software provided by the official repositories. The entire point is for those to be trustworthy.
Also Wayland breaks a lot of stuff. It's certainly a move in the right direction on the whole but I wouldn't blindly interpret something like this as a win.
porridgeraisin 5 hours ago [-]
You are cherry picking. The next statement says that the scan feature doesn't even work on wayland. Lol. That's worse than working + buggy. (security bugs are just bugs. Nothing special about them)
> That does mean that it breaks StarDict's scan feature, though.
badgersnake 5 hours ago [-]
No, Wayland is clearly better here. Not allowing an app to do a potentially stupid privacy compromising thing is better that allowing it by default and providing no way to block it.
Better does not necessarily mean good though, that Mac approach of block by default but allow users to enable these things for specific apps on settings would be a great improvement.
aragilar 3 hours ago [-]
I'm not sure how Wayland specifically prevents the privacy issue on its own (it can't block network calls), it seems it's down to not implementing the required Wayland calls, but I would be surprised if there was no portal or DBus or similar IPC to get the clipboard on Wayland (which is called out in the package description as noted by the maintainer). The issue is what the app plugin does with the clipboard data, while it's not something I want, I can see people wanting automatic lookups of words.
I think in a similar way to how xz attack required integration via systemd to exist, this is really more about defaults and integrations (which the last message from the maintainer acknowledges and seems to be fixing). https://xkcd.com/2044/ is as always an ever-present problem.
porridgeraisin 5 hours ago [-]
The privacy compromising part is _not_ in the 'reading selection' part. It is in the part where it sends it over http to dict.cn. The solution is therefore, obviously, to replace dict.cn with an offline dictionary. Not what wayland does, which is blocking reading selections in the first place. That is brain damaged.
In the X11 case, I can uninstall the app and install one that uses an offline dictionary and gives me a scan feature. That very much is a way to "block" it. Wanting a scan feature is not wrong. It's my computer. I want it. In the Wayland case, I cannot do _anything_ about it. The X11 situation is thus obviously better.
It's not like "define current selection" is some niche feature either. It's a default feature in macOs, iOS and Android.
You either do it the macos way or the windows/x11 way. You cannot half-ass something in between. That is just security theatre and is utterly retarded. Every wayland release until it makes a macos-style permission system (I dont care whether the default is accept or deny) is pure cancer. And every distro/DE that pushes wayland onto you until that point is also cancer.
</rant>
npteljes 4 hours ago [-]
Android has its fair share of issues as well. For a recent issue, take a look at the localhost tracking, wherein "Meta devised an ingenious system that bypassed Android’s sandbox protections to identify you while browsing on your mobile phone — even if you used a VPN, the browser’s incognito mode, and refused or deleted cookies in every session":
Which Android versions ask for permission before an app can make HTTP requests? I know it's something the app has to declare in the manifest, but other than obscure ROMs every normal version of Android just allows network usage without asking the user.
jeroenhd 5 hours ago [-]
Android itself doesn't enforce it, but starting with Android 9, you have to opt in to HTTP requests rather than opt out. Most app developers don't even know about this so their applications (and the ads packaged within) cannot do plaintext HTTP calls using the normal system API.
Still doesn't prevent an ad library from bundling libcurl and doing HTTP calls manually, of course, but it's a sane default.
est 5 hours ago [-]
it looks like a serious "privacy violation" for English-only users. But for many ESL or non-English users out there, the "translation" is a must.
On Windoes, I remember some translation programs go extreme, they hijack all GDI calls and scan for all strings on GUIs trying to translate and replace them inline. Local dictionary were pretty limited so many of them use online services. What happens when user input something "sensitive" on the GUI?
Well they goes straight to the translation service.
jeroenhd 5 hours ago [-]
Translation isn't the problem, sending data over the network by default is. Data is leaked to Chinese dictionary servers even if you're translating between European languages using a local language according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960.
With the GDI hijacking programs you usually download them for specific languages with the knowledge they're internet connected.
est 4 hours ago [-]
> Data is leaked to Chinese dictionary servers
stardict is a Chinese software and the bug you listed says it "leaks" data to stardict.cn which is one of its official website.
I do agree that programs should not send data in an arbitrary way. Clear text over public network is not OK
account42 5 hours ago [-]
> But for many ESL or non-English users out there, the "translation" is a must.
As an ESL user, I vehemently disagree. You're only going to need translations as long as you keep relying on translations. Like it or not but English is the lingua franca of the computing age and you're doing yourself a disservice if you don't learn it.
est 4 hours ago [-]
> English is the lingua franca
Yes, so to learn English, ppl need some kind of "translator" tool, no?
The most comprehensive one (but very old) out there is stardict.
account42 3 hours ago [-]
No, you don't need a translator tool to learn other language. Certainly not one that automatically translates everything you copy.
Once you know the basics (which a translator won't teach you) the most effective way to become proficient is practice, which is the opposite of relying on a tool to translate things for you.
userbinator 8 hours ago [-]
but it does suggest there were a number of people who might have been broadcasting their text selections to the internet for several years. Given that people copy and paste passwords from their password managers, or select the text of sensitive emails and documents during the course of editing, that should be a significant cause for concern.
I don't know what "significant" means in this case, but a password is worth something only to those who know what the password is for and are willing to find out. I'm pretty sure all those seemingly popular "editing" plugins that read everything on the screen to send to a cloud service for "AI assistance suggestions" do far worse... and given what I've seen people do with accidentally pasting things into Google, it likely already knows a lot more than you thought it did.
npteljes 4 hours ago [-]
I'm sure if people discovered that a Debian package offering "AI suggestions" would send the clipboard over unencrypted HTTP to two Chinese servers, it would make a similar noise.
Actively listening to the clipboard, and immediately, automatically sending the content elsewhere is akin to keylogging, spyware, plain and simple. It's a questionable practice even after accepting a huge popup, not to mention that the functionality is practically buried in TFA case.
01HNNWZ0MV43FF 7 hours ago [-]
> a password is worth something only to those who know what the password is for
I also copy-paste my username from KeePass, so you'd pretty quickly get everything
userbinator 7 hours ago [-]
OK, so you have the username and password. But what about where to use the credentials? Is that also copy-pasted from somewhere?
It's like coming across a key someone dropped on the road. You don't even know what it's for.
Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
TheDong 7 hours ago [-]
> It's like coming across a key someone dropped on the road. You don't even know what it's for.
There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.
Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?
What if it's a list of words from the BIP-39 wordlist?
> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.
I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.
Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.
quesera 6 hours ago [-]
> My key has "Apartment Name, Apartment Number" engraved into the head
Hotels learned not to do such silly things several decades ago.
I'm surprised that your building management lacks such obvious wisdom.
account42 4 hours ago [-]
People reuse user names and passwords all the time.
It is also quite feasible to test a user+password combo on the most common websites.
distances 5 hours ago [-]
I use a unique email address with the + format for each service, like "me+kagi@email.com". Login with email reveals the service through the address.
And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.
therein 8 hours ago [-]
I have seen people paste their seed phrase into the URL bar in Chrome, which will send it to Google for auto-complete. Even the access log itself is going to contain compromising information in that case, since that is sent a part of the query string.
Wouldn't be the first (or last) time a Debian maintainer has pulled the "you should read the descriptions of all (hundreds) of your packages (most installed as dependencies)" card in response to a bug report.
If someone started reading all the package descriptions and READMEs we're meant to be thoroughly familiar with when Trixie was released a few days ago, they'd still be reading them.
https://www.youtube.com/watch?v=Z1Ba4BbH0oY
https://xkcd.com/1053/
In other words might have appreciated the explanation.
Note that clipboard data can be just about anything and is a valuable dataset, more so if the source of the data isn't aware of being a source, besides, there is no history so you won't even know what you've lost.
Is the difference meaningful? It’s proof of a value set so different from the community’s as to merit the same response: expulsion.
Intent or not, that developer is a risk to the project.
People need to be on the lookout though, the xz incident showed that FOSS is indeed vulnerable.
1. making "scanning" (the clipboard capturing feature opt-in, with a huge notification for the implications
2. disabling the English-Chinese online translation plugin by default
This whole trend of adding a service to stuff that doesn't need a service is very annoying.
Also Trump is only executing a federal takeover of the DC police because he's ignorant, not because he's malicious. And Putin only invaded Ukraine because he's ignorant, not malicious. Got it.
Stuff like this can fly under the radar for a long time because lots of people will assume how it works without actually verifying that it really works like that.
Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.
Security illiteracy? Yes. Malicious intent? Probably no.
Does being security illiterate equal malicious? Debatable.
I think the bar for trust in terms of evil intent is on the floor.
Security illiteracy is admitting you were wrong and changing it when somebody points it out.
>Malicious intent? Probably no.
Are you graciously making excuses for malicious intent without considering all the facts? Probably yes.
>Does being security illiterate equal malicious? Debatable.
Refusal to admit there is a problem and fix it, or carrying the water for people who refuse to admit they made a mistake, is deliberate maliciousness, not security illiteracy. Not debatable.
You can literally do both in the EU with informed consent.
Informed consent is (1) always going to be specific and (2) ends when the legal base for procession is no longer supported.
I think it's just a cultural difference. Sogou, a super popular Chinese input program for Windows iOS and Android does the same with everything you type and nobody cares.
Just because Microsoft did it that doesn't make it a valid defense, in fact it shows the opposite (after all, they too did not have the best interests of their users at heart). The fact that the recipient of the data sits on the other side of the GFW and that clipboards can contain very interesting data you really should wonder about the intentions of the author, they do not get the benefit of the doubt. In fact, open source software that to all intents and purposes looks like it runs locally but pumps your (private) data out without your consent is a very large red flag to me: it gains access to data that otherwise likely would never be found in the wild. At a minimum this is a fairly serious GDPR violation.
>why it's not malicious to write and distribute a program that sends passwords and other sensitive information over unencrypted http in 2025
One of the reasons is that it has been like that since at least 2009, so for 16 years.
I'm not defending the bug. It's a glaringly stupid thing to do, and distribute, and it questions the competency of everyone involved. I do maintain that it's not malicious intent.
Sure, if you read the description and the list of plugins and correctly guess how this plugin is implemented, then you can deduce some of it.
I have been told to "RTFM!" countless times in many places. Some of them were legitimately the correct answer in that context, in hindsight. Some were knee-jerk reactions like this.
Debian's discussion culture might be a little edgy sometimes, but this has nothing to do with Debian.
https://futurism.com/trump-didnt-know-nvidia
I wouldn't say that is just a given, if I've apt-get installed a dictionary I might expect that is the whole thing on my machine. It's not like we haven't had dictionaries in physical books for centuries... It seems like stardict is very much an online thing, which I suppose could be legit, but the whole thing does seem like a trap.
If we search for the author's bio, that seems to check out. They are a well-credentialed CS person; obviously they know that dictionary programs such as translation pop ups can have offline dictionaries, and mentions that. But they are a person of their time with an according set of "of courses".
Today, an application being locally installed and works with offline data is like a a statement of quaint chivalry, promulgated by a few remaining Don Quixotes of computing. (It saddens me to say. So much that this analogy brings me insufficient amusement.)
People in your coffee shop on the same WiFi could read it.
I get some people don't realize that's how TCP/IP works and the firesheep stuff all happened 15 years ago. But a bit worrying to see a frequent HN contributor challenging that.
That's why we now push for Https everywhere.
The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.
The second allows apps to only trust specific certs or CAs, ignoring system root of trust.
I just want to clarify HTTPS in practice is quite secure.
https://www-user.tu-chemnitz.de/~fri/ding/
Additionally, a typical spell checker feature is to provide alternative, correct, spellings, rather than just telling you whether a word is correctly spelled.
I bet there's some cool way to do this with zero-knowledge or homomorphic cryptography though!
The typical use of a Bloom filter is to have it locally as a prefilter, not to send hashes to the server.
But you might still be able to use some frequency sampling to predict the words used, unless those chunks are very very carefully constructed.
The code for which would almost certainly be larger than a fully local dictionary for any human language.
I personally don't use that one, for me the red underline is enough.
For the first case, sending a hash would prevent the server from learning a password that is not in the dictionary, something like password5 would hash to gibberish.
For the second, the server needs to know what to actually send back. I believe Google's malicious website check works (or used to) by truncating a hash an then just sending the answer for some 128 or so websites and have the browser figure out which of them the user wanted to visit. That creates some deniability over witch website you actually visited and should be also usable to prevent the server from learnering what you actually looked up.
So yes, I think you could design a more secure Protokoll. Though general security disclaimer the people trying to read your letters probably spend more time attacking than I spend writing this post.
I may not be on top of the latest trends, but at least I understand how computers work and what they can actually do.
Samsung’s privacy policy is the same for phones and TVs.
Thank you for your kind words, please look at the HN comment guidelines when you have a chance. Your point would have been an excellent correction if shared thoughtfully, but it's all negated by the name calling and personal attacks.
> Or maybe StarDict would have started asking for special permissions to let it work on Wayland, and users would have accepted those defaults the same way they currently do.
Yes, that’s what it would do. Its installer might even configure that special permission automatically, without user intervention.
Malware’s gonna mal. Wayland might help defend against some things, but it’s not going to defend against packages installed as part of the distro.
But the other concern is part of the systemic problem. Consider that the data that was transmitted was sent in the clear!
> StarDict ... while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers.
> Any user who did read the description of the package, and who knew what the YouDao plugin would do, might nevertheless expect the resulting communication to at least be encrypted. But the plugin actually reaches out to its backend servers — dict.youdao.com and dict.cn — over unsecured HTTP. So, not only are these servers sent any text the user selects, but anyone who can view traffic anywhere along its path can see the same thing.
>It's difficult to imagine how somebody to whom Debian's values are alien could even accidentally stumble their way into the position of being a Debian packager
It's not for me.
I disagree with using it that way because it feeds into the CPC's propaganda mission to conflate the ethnicity of "Han" with citizenship of the PRC, which aids their cultural imperialism ('Taiwan is "Chinese" and we are "China" so therefore people in Taiwan are our people!'). Also the definition is being stretched to include anyone with even the vaguest ethnic ancestry from within territory ruled by the PRC or historic empires ("China" is a word that basically means "empire")
Anyway I agree that people from the PRC are more used to throwing up their hands at invasions of privacy since the government having total insight into your life is a given there, and to many a positive thing (they may believe it keeps them safe). I also believe that growing up as one of one billion people gives one a sense of useless anonymity - who cares if someone sees your clipboard, there's just too many people for it to matter.
> The stardict has "Scan" function, when user enable this function, after user select some text, it will trigger stardict do translate for this selected text... Why the user selects some confidential data to query dictionary?
"Sir, we have intel, the enemy is having translation server errors."
I know that there is a flag to disable the installation for "recommended" packages. I just think the default is a disservice here.
First of all, "Recommends" is reserved for packages which enhance the functionality of the package you're installing. Without these the package will not break, but some very useful functionality might be disabled.
The package-class you're talking about is "suggests", IOW, "these packages might also be useful for you, wanna look?" section. These are not installed by default already.
On the other hand, apt and aptitude provides previews before doing something. You don't have to accept them. In aptitude's case, you can fine tune before the final commit, even.
There's a tension. Minimalism vs. user utility. Somebody told in Debian 13 release comments that "Debian will never be a end-user friendly distro". Now, you're saying that packages shouldn't install recommends by default.
What should Debian be? "An IKEAesque DIY distro", or "A more user friendly, yet very stable and vanilla distro". I vote for the latter, personally. Plus, as I told before, advanced users are free to use what they want to change.
If you want to change the default, the configuration files are at /etc/apt/conf.d/. If you want to disable feature for once, it's --no-install-recommends.
And that's perfectly fine, it just means I don't align with Debian on this one. And that freedom is what Linux is all about, I guess. So it seems it's working as intended :)
Edit: And I totally get that users might often want that kind of maximalism. It's just not for me. Although starting network daemons by default might sometimes be a bridge too far, or the case described in the article here.
...and this is what Debian Testing is actually for. To catch these types of issues.
Of course, people are free to select what they resonates with them. I'm not against more DIY distributions (I'm also contemplating using a LFS VM to explore things even further, but time is an issue), and I'm not against your personal choices. I just wanted to note the tension, and share my observations about Debian.
> On the other hand, apt and aptitude provides previews before doing something. You don't have to accept them. In aptitude's case, you can fine tune before the final commit, even.
You can't expect the average user to understand the entire dependency tree and read the description of dozens of random packages that the average program pulls in. RTFM is not a valid excuse for bad defaults.
Let me rephrase:
IOW, if you don't like how your system behaves, read the documents. Otherwise, I argue, current defaults is good for the benefit of the newcomer and average Linux user. If you are at a point where you are caring which package is doing what, you're leaving "average user / beginner" realm.In the case of StarDict, as I noted elsewhere, I think the developer's answer is fishy, or ill-informed at least.
For a brief moment `--break-system-packages` surpassed it, then I discovered `pip` accepts abbrev flags so `--br` is enough, and sounds like bruh.
You can avoid that clusterfuck using `uv tool install`. E.g. `uv tool install pre-commit`.
Hey, an area I finally know something about. It depends on what you're trying to do.
The slimmed down version of a Finnish dictionary I provide in `tsk` [1] weighs in at around 30 MB, for about 250,000 Finnish words. It's small enough that I embed the whole dictionary directly into the binary and reconstruct the prefix search on the fly every time the user starts the app.
However, the much larger database which contains things like lemmatization and etymology information easily balloons up to many, many gigabytes in size. My problem domain is providing Truly Instant Lookup, keystroke by keystroke, so I can't really get around this level of memoization. The work to figure all this out was sufficient that I decided to make future versions a paid product instead [2].
Most other use cases would just call out to a server, because it's silly to think most people are going to download a giant database for that use case alone. A hybrid approach could also make a lot of sense, eg cache the most common 10,000 words locally and call out for the next 1.5 million, which are statistically extremely rare.
[1]: https://github.com/hiandrewquinn/tsk
[2]: https://taskusanakirja.com/ (offline for now until I get Digicert to certify my downloads wholesome for Windows resale)
https://wiki.debian.org/PrivacyIssues
Luckily there are things like opensnitch that can block some of these issues:
https://github.com/evilsocket/opensnitch
Debian does not mandate anything about privacy in its Policy Manual (which are the standards for selecting and packaging software that maintainers must adhere to): https://www.debian.org/doc/debian-policy/search.html?q=priva...
There's also no insistence on privacy in the Debian Social Contract or DFSG (not that these would be appropriate places for it, they're mainly about licensing)
There is nothing in that list anything like as bad as this. The next worst is Chromium which is no surprise.
StarDict on Wayland has a different issue, it causes a segfault.
Sat, 02 Aug 2025: Bug#1003710: stardict crash in gnome with message Segmentation fault
https://www.mail-archive.com/debian-bugs-dist@lists.debian.o...
Now if the article meant to say Wayland applications are unable to capture arbitrary text via mechanisms other than then the copy paste protocol I would say fair enough, but it sounds like the problem application is using the normal X11 copy paste protocol. so I don't see how that statement is relevant.
Meanwhile, the other 99% of applications don't need unlimited permissions.
You also underestimate how many programs make use of functionality that could be abused in some way. And unless you lock all those interfaces down it's all security theater. Who cares if the display protocol disallows copy paste snooping when there are a million different ways to get the the memory of other processes or the files that they store sensitive information in. And such a locked down ecosystem is antithetical to free and open computing.
I don't use my computer to be secure, I use it to get shit done and and to have fun. I'm not going to accept approaches to security that interfere with that any more than I will accept the same in real life. There aren't any bars over my windows because we have functioning police to deter criminals. I don't need lab tests done for all the food I buy because we have regulations that ensure food sold is generally safe to eat. I go outside without body armor and weapons even though someone could theoretically kill me. 100% security is always a tradeoff for quality of life.
Personally I think the X11/Wayland distinction is moot, given this appears to be an explicit feature of StarDict, and it seems more likely it just hasn't been ported to Wayland yet.
Whether malicious or not, to me isn't the point. The point is that I, as an individual deserve the illusion of control over my data and communication. I have neither the time, nor inclination to read all release notes. Furthermore, as someone who has spent enough time writing code - I recognize that humans make mistakes and don't always update them with salient details. All the automation in the world, and AI (yes, I've tried AI for release notes) just doesn't help.
A problem for those 178 people... But on a global scale this isn't really a concern.
But Linux doesn't have a per-program firewall.
... and even if it did, there's no way to do popups/questions from the kernel,
... and even if there was, most programs would just run curl or wget or openssl. That would mean a popup for each and every connection attempt through those programs.
Yea, because, how else am I going to run shady poorly maintained dictionary software that ignores system settings from a hostile country? What kind of world are we living in with X11?!
The software could just as well hook into your downloads folder and transparently "translate" any downloaded text or PDF file for you. In which case the method by which pixels arrive on your screen would not be relevant.
How is this an X11 vs Wayland issue and not a distribution hygiene issue? Why is this package even a part of the distribution? In the desire to force one desktop system to stop existing, for whatever reason, I think they've missed the broader point.
Personally, if I was using (or a maintainer of) a dictionary tool which autoreads the clipboard (or any dictionary tool), I'd be checking what it is doing and considering whether it is what I would want to use.
correct which is why wayland is only one piece in improving security, you still need proper sandboxing
It's not really a bug if it's an advertised feature you don't like, so security team cannot do much in theory.
What year is it?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960
Given enough eyeballs, all bugs are closed as WONTFIX.
That's not an excuse for why it wasn't dealt with until now but what you are suggesting didn't happen.
stardict --install en_US hi_IN ta_IN
For a trilingual person, just 100MB of storage. Problem solved no?
Edit: it's a full dictionary with all sorts of information. Example entry:
ABANDONED A*ban"doned, a.
1. Forsaken, deserted. "Your abandoned streams." Thomson.
2. Self-abandoned, or given up to vice; extremely wicked, or sinning without restraint; irreclaimably wicked ; as, an abandoned villain.
Syn. -- Profligate; dissolute; corrupt; vicious; depraved; reprobate; wicked; unprincipled; graceless; vile. -- Abandoned, Profligate, Reprobate. These adjectives agree in expressing the idea of great personal depravity. Profligate has reference to open and shameless immoralities, either in private life or political conduct; as, a profligate court, a profligate ministry. Abandoned is stronger, and has reference to the searing of conscience and hardening of heart produced by a man's giving himself wholly up to iniquity; as, a man of abandoned character. Reprobate describes the condition of one who has become insensible to reproof, and who is morally abandoned and lost beyond hope of recovery. God gave them over to a reprobate mind. Rom. i. 28.
Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy
Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.
Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.
The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.
This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.
Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):
Changelog: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...
Control: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...The reality is that Linus is not to blame for "Linus's Law", because Eric S Raymond made it up and misleadingly attributed it to him, and it's unmitigated bullshit (just like so many other of ESR's fallacious racist, sexist, homophobic, Islamophobic beliefs), which was refuted a long time ago by HeartBleed and many other incidents.
Theo De Raadt pinpointed the irony of trusting ESR's theatrical security claptrap about "many eyes":
"My favorite part of the "many eyes" argument is how few bugs were found by the two eyes of Eric (the originator of the statement). All the many eyes are apparently attached to a lot of hands that type lots of words about many eyes, and never actually audit code." -Theo De Raadt
https://news.ycombinator.com/item?id=35940773
>tptacek on May 14, 2023 | parent | context | favorite | on: The Cathedral and the Bazaar (1999)
>Just taken on its merits, I think a case can be made that this is one of the most overrated pieces of technical writing of the last 25 years. What's true in it isn't interesting ("the importance of having users", "release early release often") and what's interesting isn't true ("Linus's law" being perhaps the most notorious example). Much of the insight is taken directly from Brooks. The whole piece has as its backdrop the development of Fetchmail, which is not a well-regarded piece of software.
>What's notable about Cathedral is its timing; it did capture the zeitgeist of what was an important moment in the computing field, the moment where we transitioned from 386bsd-style hobby projects to an industry run on free and open source software. But Raymond isn't the reason why any of that happened, and much of his description of that moment is faulty; the rest of it is just a retrospective of the engineering decisions involved in the writing of a midlist mail processing utility (fetchmailrc syntax, password encryption, the now-largely-irrelevant distinctions between MDAs and MTAs).
>Even the high-level organizing notion of "cathedrals" and "bazaars", which should have been a lay-up, hasn't really proven out.
https://en.wikipedia.org/wiki/Linus%27s_law#Validity
>Validity
>In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".[5]
>The persistence of the Heartbleed security bug in a critical piece of code for two years has been considered a refutation of Raymond's dictum.[6][7][8][9] Larry Seltzer suspects that the availability of source code may cause some developers and researchers to perform less extensive tests than they would with closed source software, making it easier for bugs to remain.[9] In 2015, the Linux Foundation's executive director Jim Zemlin argued that the complexity of modern software has increased to such levels that specific resource allocation is desirable to improve its security. Regarding some of 2014's largest global open source software vulnerabilities, he says, "In these cases, the eyeballs weren't really looking".[8] Large scale experiments or peer-reviewed surveys to test how well the mantra holds in practice have not been performed.[10]
>Empirical support of the validity of Linus's law[11] was obtained by comparing popular and unpopular projects of the same organization. Popular projects are projects with the top 5% of GitHub stars (7,481 stars or more). Bug identification was measured using the corrective commit probability, the ratio of commits determined to be related to fixing bugs. The analysis showed that popular projects had a higher ratio of bug fixes (e.g., Google's popular projects had a 27% higher bug fix rate than Google's less popular projects). Since it is unlikely that Google lowered its code quality standards in more popular projects, this is an indication of increased bug detection efficiency in popular projects.
Datamation: Does Heartbleed Disprove ‘Open Source is Safer’?
https://www.datamation.com/open-source/does-heartbleed-dispr...
>Taken together, Segglemann’s and de Raadt’s comments also suggest that assuming no special effort is needed to discover bugs is a mistake. Perhaps more attention needs to be paid to formal reviews and software testing than FOSS traditionally has managed. The fact that FOSS development often involves remote cooperation does not mean that log-in test or in-person testing sessions could not be added to many project’s development cycle.
>What Heartbleed proves is that FOSS needs at to examine the unexamined assumption it has held for years. Greg DeKoenigsberg, a vice president at Eucalyptus Systems, summed up the situation neatly on Facebook: “we don’t put enough eyes in the right places, because we assume [bug-detection] will just happen because of open source pixie dust — and now we’re paying the price for it.”
ZDNet: Did open source matter for Heartbleed?
https://www.zdnet.com/article/did-open-source-matter-for-hea...
>Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL.
Not even /s makes sense here.
- The clipboard can not be read by backgrounded applications
- Apps by default are unable to use HTTP
Also Wayland breaks a lot of stuff. It's certainly a move in the right direction on the whole but I wouldn't blindly interpret something like this as a win.
> That does mean that it breaks StarDict's scan feature, though.
Better does not necessarily mean good though, that Mac approach of block by default but allow users to enable these things for specific apps on settings would be a great improvement.
I think in a similar way to how xz attack required integration via systemd to exist, this is really more about defaults and integrations (which the last message from the maintainer acknowledges and seems to be fixing). https://xkcd.com/2044/ is as always an ever-present problem.
In the X11 case, I can uninstall the app and install one that uses an offline dictionary and gives me a scan feature. That very much is a way to "block" it. Wanting a scan feature is not wrong. It's my computer. I want it. In the Wayland case, I cannot do _anything_ about it. The X11 situation is thus obviously better.
It's not like "define current selection" is some niche feature either. It's a default feature in macOs, iOS and Android.
You either do it the macos way or the windows/x11 way. You cannot half-ass something in between. That is just security theatre and is utterly retarded. Every wayland release until it makes a macos-style permission system (I dont care whether the default is accept or deny) is pure cancer. And every distro/DE that pushes wayland onto you until that point is also cancer.
</rant>
https://news.ycombinator.com/item?id=44235467
Still doesn't prevent an ad library from bundling libcurl and doing HTTP calls manually, of course, but it's a sane default.
On Windoes, I remember some translation programs go extreme, they hijack all GDI calls and scan for all strings on GUIs trying to translate and replace them inline. Local dictionary were pretty limited so many of them use online services. What happens when user input something "sensitive" on the GUI?
Well they goes straight to the translation service.
With the GDI hijacking programs you usually download them for specific languages with the knowledge they're internet connected.
stardict is a Chinese software and the bug you listed says it "leaks" data to stardict.cn which is one of its official website.
https://stardict-4.sourceforge.net/index_en.php
Btw looks like the stardict.cn is dead today
> with the knowledge they're internet connected
Yeah that's pretty much the whole argument.
I do agree that programs should not send data in an arbitrary way. Clear text over public network is not OK
As an ESL user, I vehemently disagree. You're only going to need translations as long as you keep relying on translations. Like it or not but English is the lingua franca of the computing age and you're doing yourself a disservice if you don't learn it.
Yes, so to learn English, ppl need some kind of "translator" tool, no?
The most comprehensive one (but very old) out there is stardict.
Once you know the basics (which a translator won't teach you) the most effective way to become proficient is practice, which is the opposite of relying on a tool to translate things for you.
I don't know what "significant" means in this case, but a password is worth something only to those who know what the password is for and are willing to find out. I'm pretty sure all those seemingly popular "editing" plugins that read everything on the screen to send to a cloud service for "AI assistance suggestions" do far worse... and given what I've seen people do with accidentally pasting things into Google, it likely already knows a lot more than you thought it did.
Actively listening to the clipboard, and immediately, automatically sending the content elsewhere is akin to keylogging, spyware, plain and simple. It's a questionable practice even after accepting a huge popup, not to mention that the functionality is practically buried in TFA case.
I also copy-paste my username from KeePass, so you'd pretty quickly get everything
It's like coming across a key someone dropped on the road. You don't even know what it's for.
Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
There's a lot of keys that are self-identifying, even real keys. My key has "Apartment Name, Apartment Number" engraved into the head, and searching the apartment name on google brings it up in the first 5 results.
Let's say you find the following plaintext on the network: "sk-xxx....". Do you know what it's for? What if it's AKIAIOSFODNN7EXAMPLE?
What if it's a list of words from the BIP-39 wordlist?
> Of course all this assumes that there's even someone paying any special attention to the probably huge volume of data that these services are going to get.
It only takes one person, and since this is HTTP traffic, not HTTPS, the number of people who can see it is huge. Everyone on your wifi (i.e. the whole coffeeshop, remember firesheep), your ISP, each router between your ISP and china, and so on.
I wouldn't be surprised if someone is scanning all traffic that they see for bitcoin private keys and BIP-39 phrases since both of those could lead to some significant financial gain.
Heck, back in the day in my college dorm I ran a wifi hotspot only to sniff plaintext traffic and poke around, since I had a less strong sense of morals, and I bet the kids these days are still doing that.
Hotels learned not to do such silly things several decades ago.
I'm surprised that your building management lacks such obvious wisdom.
It is also quite feasible to test a user+password combo on the most common websites.
And yes, I too usually copy-paste both the username and the password, one right after the other. I have often thought that it seems very risky, but good to learn that Wayland already prevents clipboard sniffing.