Control: severity -1 normal
Thanks for your report. I have to disagree about the severity of this
issue, however.
To start with some history, the upstream developer moved all of the
plowshare modules some time ago into a separate git repository with a
name that included the word "legacy". At the time he contacted distro
packagers and requested that we not package these modules at all. I
decided to ignore this request and created plowshare-modules.
More recently, the upstream developer has stopped maintaining the
"legacy" repo hosting the modules, although there are still users from
the community contributing (unanswered) pull requests there and helping
each other fix compatibility issues as the file sharing websites change.
Given that there are no upstream releases and not even any upstream
commits that could be used as pseudo-releases for plowshare-modules, it
didn't make sense to keep it as a package in Debian without also
adopting its upstream development (which I have no interest in doing). A
plowshare-modules package would simply break over time and would not
receive security updates from upstream. If anything its existence just
created a false impression of security.
As I see it the threat model here involves two layers. Firstly the file
sharing websites themselves could serve malicious code. This is
mitigated in plowshare in Debian by disabling javascript execution
unless the user explicitly opts in. There's not much more that can be
done here given that we ultimately need to interact with those websites,
because that's the whole point of plowshare.
The second layer is in the creation and distribution of the plowshare
modules. As I mentioned there is no longer an official up-to-date source
for them. A user can write them from scratch or download them from
various sources. Plowmod merely assists with this by making the process
easier when the user chooses to use a git repo as the source for these
modules. It's not necessary to use plowmod at all though, since all you
need is the modules files, put in a directory where plowshare can find them.
On reflection I think it's a good idea to remove the
plowshare-modules-legacy URL from plowmod which is currently used as a
default. This made sense at the time of the last plowshare release, but
doesn't really continue to make sense. With that small change to plowmod
it would be made clearer to users that the onus is on them to trust the
source since none are provided by default.
I agree that overall it would be nicer to have a curated and maintained
set of modules in Debian, however without upstream commitment that seems
like rather a lot of work for the benefit of O(100) users of the
plowshare package in Debian. If you'd like to take on this work then I'd
welcome it, but in its absence I don't believe that the plowshare itself
needs to be removed, or that the threat model you've suggested
constitutes a fatal security flaw in plowshare.
Cheers,
Carl
