On Sat, 2023-09-23 at 22:10 +0100, Adam D. Barratt wrote: > Control: tags -1 confirmed > > On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote: > > As reported in https://bugs.debian.org/1051408 , current flameshot > > in Debian 11 (Bullseye) will silently upload the current captured > > screenshot to imgur without confirmation whenever the corresponding > > hotkey is pressed. This imposes a security risk of leaking > > sensitive > > information. > > > > In order to mitigate this issue, I propose to upload flameshot > > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token > > hardcoded > > in the source code. Users who wish to utilize the img uploading > > feature can fill in their own imgur token in flameshot config > > window to re-enable the feature. > > > > Please go ahead. >
I should have spotted this before, but the news file in the source package should simply be named "debian/NEWS"; dh_installchangelogs will then install it as NEWS.Debian in the binary package. It's up to you whether you want to upload a +deb11u2 that simply fixes that, or would prefer that we reject the existing upload and you can upload a fixed +deb11u1. Regards, Adam
