From: Attila Lendvai <attila@lendvai.name>
To: guix-devel@gnu.org
Subject: policy for packaging insecure apps
Date: Wed, 10 Apr 2024 08:51:02 +0000 [thread overview]
Message-ID: <2bUjC_hEOSbsBdNlw5md-0Co6ZgqAYc4LLOfo01-HAhYkCNehW-8lXhBt8TN769ZDd68CMtzSvK2vrZH1gIf30pmrDArmCbQhD2e7sK98Kk=@lendvai.name> (raw)
the context:
------------
there's an app currently packaged in guix, namely gnome-shell-extension-clipboard-indicator, that has a rather questionable practice: by default it saves the clipboard history (passwords included) in clear text, and the preferences for it is called something obscure. its author actively defends this situation for several years now, rejecting patches and bug reports.
a detailed discussion is available at:
https://github.com/Tudmotu/gnome-shell-extension-clipboard-indicator/issues/138
the fact that its name suggests that it is *the* standard gnome clipboard app makes the situation that much worse.
my question:
------------
how shall we deal with a situation like this?
1) shall i create a guix patch that makes the necessary changes in
this app, and submit it to guix? this would be a non-trivial, and
a rather hidden divergence from upstream, potentially leading to
confusion.
2) is there a way to attach a warning message to a package to explain
such situations to anyone who installs them? should there be a
feature like that? should there be a need for a --force switch, or
an interactive y/n, to force installing such apps?
3) is there a point where packages refusing to address security
issues should be unpackaged? and also added to a blacklist until the
security issue is resolved? where is that point? would this one
qualify?
4) is this the responsibility of a project like guix to address
situations like this?
5) do you know another forum where this dispute should be brought up
instead of guix-devel?
i'm looking forward to your thoughts, and/or any pointers or patches to the documentation that i should read.
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
The price of liberty is eternal vigilance.
next reply other threads:[~2024-04-10 8:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 8:51 Attila Lendvai [this message]
2024-04-19 2:16 ` policy for packaging insecure apps Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='2bUjC_hEOSbsBdNlw5md-0Co6ZgqAYc4LLOfo01-HAhYkCNehW-8lXhBt8TN769ZDd68CMtzSvK2vrZH1gIf30pmrDArmCbQhD2e7sK98Kk=@lendvai.name' \
--to=attila@lendvai.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).