On Tue, Oct 3, 2017 at 5:49 PM, Jonas Smedegaard <d...@jones.dk> wrote: > Package: kodi > Version: 2:17.3+dfsg1-2 > Severity: grave
This severity feels a bit inflated. After all, you can download and run non-free programs using a web browser too! > Tags: security upstream patch > Justification: user security hole > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Kodi supports downloading and loading addons at runtime. > > Official addon feed is served only via http and contain non-free addons. > > Allowing to extend the system with non-free addons at runtime by default > is arguably an anti-feature in itself. Doing so insecurely poses a risk > of malicious code getting into users' home and executed by Kodi. > > Attached patch relaxes to make addon feed optional. Making plugin feeds optional sounds good though. > > I intend to move the addons feed configuration file to a separate > package "kodi-repository-kodi" and, at first, ship that package in main > recommended by kodi. > > Later when an alternate package "kodi-repository-curated" is available¹, > I intend to favor that over kodi-repository-kodi and move the latter to > contrib. I don't think moving to contrib makes sense. Either the package fits the requirements for main or it doesn't. I don't think this package should go in contrib, as it doesn't *need* any software not available in main. So it should not be moved there. -- Saludos, Felipe Sateler _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
