Package: calibre Version: 2.5.0+dfsg-1 Regarding the patch: https://sources.debian.org/src/calibre/4.6.0+dfsg-1+exp1/debian/patches/Disable-plugin-dialog.patch/
"It uses a totally non-authenticated and non-trusted way of installing arbitrary code." But, this only removes the most visible location of the plugin downloader, not all of them, and furthermore, the rationale is incorrect, at least for as long as I can remember plugin updates are donloaded via secure HTTPS connections from the calibre author's website (which hosts the plugins). Getting onto the list of plugins requires manual whitelisting by the mobileread.com community moderators. And installing plugins is a 100% optional opt-in action which gives the user choice, albeit to install code not vetted by Debian, but thirdparty plugin stores are hardly the worst crime in the world. Please reconsider the patch -- it causes a grave lack of functionality to most power users of the application and is a source of friction with upstream. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature
