Hi Attila, Attila Lendvai <att...@lendvai.name> writes:
> the context: > ------------ > > there's an app currently packaged in guix, namely > gnome-shell-extension-clipboard-indicator, that has a rather questionable > practice: by default it saves the clipboard history (passwords included) in > clear text, and the preferences for it is called something obscure. its > author actively defends this situation for several years now, rejecting > patches and bug reports. Are there no forks yet? [...] > my question: > ------------ > > how shall we deal with a situation like this? > > 1) shall i create a guix patch that makes the necessary changes in > this app, and submit it to guix? this would be a non-trivial, and > a rather hidden divergence from upstream, potentially leading to > confusion. Perhaps enough people are interested in getting this in order to have created a fork already? We could use it. > 2) is there a way to attach a warning message to a package to explain > such situations to anyone who installs them? should there be a > feature like that? should there be a need for a --force switch, or > an interactive y/n, to force installing such apps? For now, I think a simple mention of the issue in the description could be enough. > 3) is there a point where packages refusing to address security > issues should be unpackaged? and also added to a blacklist until the > security issue is resolved? where is that point? would this one > qualify? Is the issue is severe enough (I don't think it is the case here -- it seems a note to its description would be sufficient -- but I haven't looked closely into it), I think the package could be dropped, discussed as a patch. > 4) is this the responsibility of a project like guix to address > situations like this? When the security risks introduced are severe, I'd say so (by excluding such package from our collection) -- but it would need to be something truly problematic. -- Thanks, Maxim
