Package: brltty Version: 5.4-7+deb9u1 Severity: critical brltty's default behavior seems to to not just claim all usb serial devices, but to send random data to them, potentially causing harm to the connected device.
Grabbing all usb serial devices breaks every single other package related to serial communications, qualifying it as a critical bug. Default behavior that sends data to unknown devices that is capable of causing damage to the user's hardware is also a critical bug. In my specific example, the autoprobing behavior caused an 8kW inverter to hard shut down, interrupting power to multiple residences. This only caused minor harm, and the system was able to be restarted once the serial connection was disconnected, but could easily have caused severe harm, especially if I hadn't noticed the issue promptly. Default behavior with the potential to cause costly real-world damage is absolutely unacceptable, and this is a critical issue that needs to be fixed. Web searches also found people complaining about all sorts of other problems caused by this behavior, such as the popular Arduino device malfunctioning, as well as problems for 3d printers, industrial systems, and other devices. Unknown devices absolutely should not be sent random data as a default behavior. As a less-harmful behavior, that's still highly annoying, brltty prevents the functioning of all usb serial devices, by default, with the default configuration. "Breaks everything" should not be the default behavior of any package. This annoying behavior has been mentioned in other bugs, but the potential to cause damage to devices has not, so I am filing a new bug, and marking it critical. Some possible suggestions: 1) Don't grab any device, or attempt to probe any device, that does not have an id that explicitly and unambiguously identifies it as a compatible terminal. Users of other devices would need to manually configure. 2) During install, prompt for whether brltty should be started on boot. If the user does not opt to start brltty, the default behavior would be a non-issue. A warning should also be shown that starting brltty will break any other usb serial devices until it is manually configured. This is also mentioned in bug #598906. 3) During install, prompt the user for their device's port. If nothing is specified, do not access any ports. 4) Don't send data to any unknown device. This would reduce the issue to the annoying process of figuring out why a usb serial device unexpectedly doesn't work, which is better than potentially causing harm. Two other open bugs, #667616 and #721763, contain statements that none of the above would be acceptable, and the actual bug is that it got installed in the first place. However, no progress seems to have been made on eliminating any dependencies on brltty. Since brltty is still being installed unexpectedly on some systems, the default behavior needs to not be harmful. My suggestion would be that if brltty is not being used during the installation, the user should be prompted whether to enable it on boot, with a warning that it may interfere with other devices. This would cause no issues at all for people known to need it, and would prevent it from being an unexpected problem for any users. If brltty is being used during the installation, then it should be enabled without asking. You could also check to see whether brltty is marked as being manually installed, and if so, not prompt and enable by default, so that anyone who explicitly apt-get installs it is assumed to want it, along with any issues it may cause. Even if the user intentionally installs it, the assumption probably shouldn't be that every usb serial device the user may have attached is a compatible terminal, and even users with compatible terminals may wish to use other usb serial devices, and expect that potentially harmful data will not be sent to them. I will also be filing bug reports against the dependency that got it installed on my system, which I agree is also a bug, but I think the default as- installed behavior potentially causing harm, especially hardware or other physical damage, is itself a critical bug that must be addressed. Installing a package by accident, with no further action, should not be harmful to other software or to the user's hardware. Thanks, --Fluffy -- System Information: Debian Release: 9 Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages brltty depends on: ii init-system-helpers 1.48+devuan2.0 ii libasound2 1.1.3-5 ii libbluetooth3 5.43-2+deb9u1 ii libbrlapi0.6 5.4-7+deb9u1 ii libc6 2.24-11+deb9u4 ii libglib2.0-0 2.50.3-2 ii libgpm2 1.20.4-6.2+b1 ii libicu57 57.1-6+deb9u2 ii libncursesw5 6.0+20161126-1+deb9u2 ii libpolkit-gobject-1-0 0.105-18+devuan2.11 ii libsystemd0 232-25+deb9u9 ii libtinfo5 6.0+20161126-1+deb9u2 ii lsb-base 4.1+devuan2 ii policykit-1 0.105-18+devuan2.11 Versions of packages brltty recommends: ii python 2.7.13-2 Versions of packages brltty suggests: pn brltty-speechd <none> pn brltty-x11 <none> pn console-braille <none> -- no debconf information