Your message dated Fri, 25 Apr 2025 21:51:29 +0000
with message-id <[email protected]>
and subject line Bug#1102487: fixed in rclone-browser 1.8.0-6
has caused the Debian Bug report #1102487,
regarding Privacy leak: software "phones home"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102487: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102487
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rclone-browser
Version: 1.8.0-5
Severity: serious
Justification: privacy leak without user consent
User: [email protected]
Usertags: origin-ubuntu plucky
Downstream bug:
https://bugs.launchpad.net/ubuntu/+source/rclone-browser/+bug/2059246
I haven't fully verified this report, but based on an examination of the
source it seems credible.
It looks like this program will make a call out to
https://api.github.com/ by default, which at a minimum leaks to a third
party that the user is using this program.
In general, Debian users expect that third parties cannot audit what
programs they are using, so this is a privacy violation.
I think that:
1) The setting that controls this behaviour should disabled by default
as is appropriate for distribution packaging.
2) It might be appropriate to remove (or otherwise make inactive) this
setting entirely, since for a distribution package, "checking" for
updates makes no sense as it should happen by apt instead, and the user
choosing to install a distribution package using apt is deliberately
opting in to apt-based package update management.
I suggest a patch something along the lines of the following (untested):
--- a/src/preferences_dialog.cpp
+++ b/src/preferences_dialog.cpp
@@ -93,10 +93,8 @@
ui.defaultRcloneOptions->setText(
settings->value("Settings/defaultRcloneOptions").toString());
- ui.checkRcloneBrowserUpdates->setChecked(
- settings->value("Settings/checkRcloneBrowserUpdates", true).toBool());
- ui.checkRcloneUpdates->setChecked(
- settings->value("Settings/checkRcloneUpdates", true).toBool());
+ ui.checkRcloneBrowserUpdates->setChecked(false);
+ ui.checkRcloneUpdates->setChecked(false);
if (QSystemTrayIcon::isSystemTrayAvailable()) {
ui.alwaysShowInTray->setChecked(
--- a/src/preferences_dialog.ui
+++ b/src/preferences_dialog.ui
@@ -299,6 +299,9 @@
</property>
<item>
<widget class="QCheckBox" name="checkRcloneBrowserUpdates">
+ <property name="enabled">
+ <bool>false</bool>
+ </property>
<property name="toolTip">
<string><html><head/><body><p>check daily
for Rclone Browser availability</p></body></html></string>
</property>
@@ -309,6 +312,9 @@
</item>
<item>
<widget class="QCheckBox" name="checkRcloneUpdates">
+ <property name="enabled">
+ <bool>false</bool>
+ </property>
<property name="toolTip">
<string><html><head/><body><p>check daily
for rclone availability</p></body></html></string>
</property>
--- a/src/main_window.cpp
+++ b/src/main_window.cpp
@@ -525,10 +525,7 @@
settings->value("Settings/rcloneVersion").toString();
// during first run the key might not exist yet
- if (!(settings->contains("Settings/checkRcloneUpdates"))) {
- // if checkRcloneUpdates does not exist create new key
- settings->setValue("Settings/checkRcloneUpdates", true);
- };
+ settings->setValue("Settings/checkRcloneUpdates", false);
bool checkRcloneUpdates =
settings->value("Settings/checkRcloneUpdates").toBool();
@@ -603,10 +600,7 @@
/// check rclone browser version
// during first run the key might not exist yet
- if (!(settings->contains("Settings/checkRcloneBrowserUpdates"))) {
- // if checkRcloneBrowserUpdates does not exist create new key
- settings->setValue("Settings/checkRcloneBrowserUpdates", true);
- };
+ settings->setValue("Settings/checkRcloneBrowserUpdates", false);
bool checkRcloneBrowserUpdates =
settings->value("Settings/checkRcloneBrowserUpdates").toBool();
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: rclone-browser
Source-Version: 1.8.0-6
Done: Eduardo Trápani <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rclone-browser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduardo Trápani <[email protected]> (supplier of updated rclone-browser
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Apr 2025 17:47:06 -0300
Source: rclone-browser
Architecture: source
Version: 1.8.0-6
Distribution: unstable
Urgency: medium
Maintainer: Alex Myczko <[email protected]>
Changed-By: Eduardo Trápani <[email protected]>
Closes: 1102487
Changes:
rclone-browser (1.8.0-6) unstable; urgency=medium
.
* Team upload (package under salsa debian namespace)
* Fix privacy leak (Closes: #1102487)
Checksums-Sha1:
fe6359e187a7c6e9f7d6f6b1d254ae16326e681e 1306 rclone-browser_1.8.0-6.dsc
a5a08c88137b639079d6157aeba2fb58df20dfe9 4852
rclone-browser_1.8.0-6.debian.tar.xz
2a35624e5faf4f8e6a15a00f016d6c6556a33673 10144
rclone-browser_1.8.0-6_amd64.buildinfo
Checksums-Sha256:
5b6843aaed79027d52354108189bb74ded15464aa12be8f6211933e3fb50c11e 1306
rclone-browser_1.8.0-6.dsc
2ad51ffcdeb94143a4b0475d778042073bb5b1b2abe75f1ca587ecb81d7f28fe 4852
rclone-browser_1.8.0-6.debian.tar.xz
1971188c1cc750714da724c5f612ca32044a13c016485063757aad6dbdafe019 10144
rclone-browser_1.8.0-6_amd64.buildinfo
Files:
29756e7cbfceef3e260de2d6266f3bcf 1306 net optional rclone-browser_1.8.0-6.dsc
d44abde8132954411b2d322c121ffecf 4852 net optional
rclone-browser_1.8.0-6.debian.tar.xz
65c09f6ae0feae1f603cd78e596092a2 10144 net optional
rclone-browser_1.8.0-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaAwBCgAKCRAn3j1FEEiG
79aUAQD08CukCrMZxTG9qAAVnLgYED2NHdcvqVz3kDaNUjnnGgD8CVZXV8rd03Mb
gbP90rTbCy777Ih53NqRPAJPbubGdwg=
=MJxi
-----END PGP SIGNATURE-----
pgpODYn8sRkzT.pgp
Description: PGP signature
--- End Message ---
