Replies: 5 comments 2 replies
-
"drive-by contributor attacks" is a undefined term! I tried to look it up, but there is no literature about this, nor any wiki or forum posts mentioning it. So I am assuming it is made up. So what does that even mean? And it should be mean something, if it is used in a justification for actions. |
Beta Was this translation helpful? Give feedback.
-
He distrusts internet capability so much he straight up forced pushed an updated to people just wanting their password manager to work not spend time realizing "oh shit maintainer of that package is insane and stripped most basic features like autofill which DONT EVEN USE INTERNET CONECTIVITY". |
Beta Was this translation helpful? Give feedback.
-
As I understood Julian, he will now provide two versions and a transitional package instead of straight up downgrading everybody. |
Beta Was this translation helpful? Give feedback.
-
fyi @julian-klode |
Beta Was this translation helpful? Give feedback.
-
As a heads up, this video about the issue went out 18 hours ago, and is currently sitting at 20k views and ~600 comments. It's what brought it to my attention, and the attention of many others. |
Beta Was this translation helpful? Give feedback.
-
Sadly, I just got informed about the issue 10725,the message by the German Debian KC package maintainer working for the company behind Ubuntu (Canonical Ltd - conflict of interest?). When I wanted to comment I saw it's locked.
So we have that:
As user of all distros, especially Debian and Arch I am absolutely confused about that behave. The statement given by him is:
So the maintainer not only insults the users who are using appropriate opt-in features without any valid ground. He is inable to prove that there are any actual security risks or security issues involved. He absolutely bases all on a privacy NOT SECURITY concern on the Debian Bug Tracker. It is about a few icons (or anything like that) being loaded. Despite the issue talks about the broken browser integration. It is also unclear what the maintainer is exactly talking about when he says (by-default disabled) "plugins".
There is no obvious security risk. There might be a privacy risk, of course, when a password manager connects to somewhere. Every other application does that too. Especially those on Debian. So why does the maintainer speaks that hypocrisy out? Because he wants to by pass the need to justify his stance.
Another point highlighted by the community that people need those features. Features are industry standards. The XC project seemingly disables them by default and goes for opt-in, which is already the most secure version of it. If Debian does not supply them, the users will neither consider Debian in a good way nor the XC project, causing distrust and damage for us all.
To be honest: From a security and user pov this is inacceptable.
Maintainers randomly deciding to disable/enable flags, lying about the reason, making up terms, breaking important core features used by all, causing bug reports to a open project without proper communication. Finally, after being invited in the discussion, he's not providing reasons, only excuses and even really bad ones. On top insulting the users is more than disappointing, disgusting, disrespecting and gives the Debian project a really weird shade!
This is exactly why only a few trust the Linux and (Fully) Open Source Community and people like this maintainer destroy the trust that has been shaped over the many years. Just for his toxic, individual opinion - sorry for the rant!
/E: And yes, nobody reads your damn news, if they are written on a board from the 2000s, wake up - you're living in 2024.
/E1: As a German I am expecting more of my people, not this crap. So I am pissed off three times at once.
Regards
Beta Was this translation helpful? Give feedback.
All reactions