On 2025-08-12 18:58:21 +0700, Max Nikulin wrote: > On 08/08/2025 20:29, Vincent Lefevre wrote: > > On 2025-08-07 18:52:47 +0700, Max Nikulin wrote: > > > On 06/08/2025 10:18, Vincent Lefevre wrote: > > > > > > > > Note that passwords can easily be leaked. > > > > > > I see, earlier I even mentioned protocol that allows clipboard > > > manager to ignore text copied by password managers. > > > > X11 selections are different from clipboard. > > I am unsure what you mean. PRIMARY, SECONDARY and CLIPBOARD selections are > rather similar. Difference in behavior originates from conventions as they > are implemented in applications. I do not mind that you may acquire much > more data by scanning PRIMARY selection than from CLIPBOARD. However some > data may be available from CLIPBOARD only.
If I want to copy-paste a password by using the PRIMARY selection, there is no way to prevent some other application from reading it. > > AFAIK, there are tags to ignore the RC severity for the next release. > > Do you mean trixie-ignore and forky-ignore? Have you tried to > negotiate with the maintainer and with release manager to add them? No. The maintainer immediately lowered the bug to wishlist. > > The vulnerability here is important enough to justify a high severity. > > In particular, it should be signaled by apt-listbugs. > > I find it valid concern. Unfortunately, it seems, in default configuration > bugs are either not listed or severity serious or above causes removal from > testing (unless "*-ignore" is added). Have I missed anything? However, removing package that has risks for the user is some kind of feature. > > Moreover, initially I had not thought that a query was even done: as > > a calendar was displayed (which is really strange for a dictionary > > application) and did not see anything that looked like an answer to > > a query, I was just thinking of some UI bug. > > I agree, it is confusing. From my point of view, a part of the problem is > that the dictionary has been developed to be convenient in specific > scenario. Privacy issues were overlooked. Recently the maintainer received a > portion of complains with almost no suggestions how to meet expectations > related to privacy while keeping convenience. Even ignoring privacy issues, the default (e.g. getting a calendar and/or a translation into some language[*]) is probably bad for most users. [*] possibly except for a language the application knows that the user may be interested in, for instance deduced from the locales. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
