Package: calibre Version: 3.4.0+dfsg-1 Severity: normal Dear Maintainer,
I'm using cron and /usr/bin/ebook-convert to fetch RSS news daily. Some generated ebooks are containing typos. The mistakes are located in a so-called "news fetching recipe" in Zip archive /usr/share/calibre/builtin_recipes.zip. I tried to edit the recipe code but the mistakes remain in ebooks. I wrote an own custom recipe, I edited built-in recipe in ZIP archive - nothing helps. As a last try I switched off network and had success. That maked me curious, so I repeated the procedures with Wireshark logging network traffic. The result: Calibre completely ignores built-in recipes and loads python scripts from a server in Mumbai/India: https://code.calibre-ebook.com:443/... ( using self- signed wildcard certificate) It's a absolute taboo to load scripts in background from an untrusted server and execute them on a Linux computer without user permission and without informing user. This is a Debian OS not Windows. What if the scripts are containing malware or spyware? My workarond is to remove /usr/share/calibre/calibre-ebook-root-CA.crt. That breaks unwanted HTTPS connections. Here is a test script for verifying. It runs in a terminal without the need of starting Calibre: ----- #!/bin/sh # test directory TARGET="$HOME/test" LABEL="Pro-Physik" RECIPE="Pro Physik.recipe" PROFILE="kindle" FORMAT="mobi" EBOOK="$TARGET/$LABEL.$FORMAT" EXEC="/usr/bin/ebook-convert" LOG="$HOME/test/fetch.log" exec >> "$LOG" 2>&1 echo -e "\n*** fetching $LABEL ****" $EXEC "$RECIPE" "$EBOOK" --output-profile "$PROFILE" ----- BTW: "Pro Physik.recipe" is a python script archived in /usr/share/calibre/builtin_recipes.zip and contains some typos. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.6-bulldozer (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages calibre depends on: ii calibre-bin 3.4.0+dfsg-1 ii fonts-liberation 1:1.07.4-2 ii imagemagick 8:6.9.7.4+dfsg-16 ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-16 ii libjs-coffeescript 1.10.0~dfsg-1 ii libjs-mathjax 2.7.0-2 ii poppler-utils 0.48.0-2 ii python-apsw 3.16.2-r1-2+b1 ii python-beautifulsoup 3.2.1-1 ii python-chardet 3.0.4-1 ii python-cherrypy3 3.5.0-2 ii python-cssselect 1.0.1-1 ii python-cssutils 1.0-4.1 ii python-dateutil 2.6.0-1 ii python-dbus 1.2.4-1+b2 ii python-feedparser 5.1.3-3 ii python-lxml 3.8.0-1+b1 ii python-markdown 2.6.9-1 ii python-mechanize 1:0.2.5-3 ii python-msgpack 0.4.8-1+b1 ii python-netifaces 0.10.4-0.1+b3 ii python-pil 4.2.1-1 ii python-pkg-resources 36.2.7-2 ii python-pyparsing 2.1.10+dfsg1-1 ii python-pyqt5 5.7+dfsg-5+b1 ii python-pyqt5.qtsvg 5.7+dfsg-5+b1 ii python-pyqt5.qtwebkit 5.7+dfsg-5+b1 ii python-regex 0.1.20170117-1+b1 ii python-routes 2.4.1-1 ii python2.7 2.7.13-2 ii xdg-utils 1.1.1-1 Versions of packages calibre recommends: ii python-dnspython 1.15.0-1 calibre suggests no packages. -- no debconf information
