X-Debbugs-CC: Peter
Control: tags -1 +confirmed
Control: notfound -1 12.1.0-2
Control: fixed -1 12.1.0-2
Hi,
On Thu, 7 Sep 2023 19:43:10 +0200 Peter wrote:
> Thank you for the quick response to my message.
>
> My message is wrong in one place: I tested the old version from Debian
> Bullseye.
>
> In Bookworm it behaves as follows: There is an "Imgur Application Client
> Id" configured in the installation. So it is possible to use the upload
> without any further configuration. But before uploading there is a
> security prompt. In German: "Möchest du diese Aufnahme hochladen?"/"Do
> you want to upload this image?". You may set "Upload without confirmation".
>
> For privacy reasons I would prefer the image upload function to be
> disabled by default and no Imgur Application Id configured.
Debian's flameshot package maintainer here.
My understanding is that this bug only affects flameshot in Debian 11.
Since flameshot in Debian 12 or later provides a confirmation window
before uploading, no security concern should be assumed. As a package
maintainer, I do not want to deviate from upstream's decision on providing
a default imgur token in newer flameshot.
Your concern of flameshot in Debian 11 looks valid. You proposed the patch
to completely strip imgur token is kind of brute-force and I don't really
like it, but I don't have enough time to backport a proper fix on popping up
a confirmation window before imgur upload. As a result, I will take it
as-is and provide an oldstable-proposed-updates for flameshot in Debian 11.
NOTE: such change will later need to be reviewed by Debian Release Team, and
the acceptance of this patch is solely at the discretion of Release Team, which
I cannot guarantee to be accepted.
Thanks,
Boyuan Yang
signature.asc
Description: This is a digitally signed message part
