Bug#1104715: liferea: Tools -> Plugins menu item now broken and a privacy issue

[Paul Wise]

Package: liferea
Version: 1.15.8-2+b1
Control: found -1 1.12.2-1
Control: fixed -1 1.16~rc3-1
Tags: fixed-upstream
Severity: important
Usertags: crash
User: debian-de...@lists.debian.org
Userags: privacy

When the Tools -> Plugins menu item is selected, it loads the plugin
list from a JSON file hosted on GitHub[1]. This is both a privacy
issue[2] and now it is also broken because the file got removed
in upstream commit a92d3b0e2b5a4a4068308cbb3240b88073d09c49[3],
that causes a crash in plugin-installer.py due to the 404 error.

   1. 
https://raw.githubusercontent.com/lwindolf/liferea/master/plugins/plugin-list.json
   2. https://wiki.debian.org/PrivacyIssues
   3. 
https://github.com/lwindolf/liferea/commit/a92d3b0e2b5a4a4068308cbb3240b88073d09c49

This issue is fixed in upstream liferea 1.16-RC3 that merged the commit
above, but has been present since 1.12.2-1, which means that both
Debian stable and oldstable liferea need to be fixed too.

Since the freeze is close, I suggest installing the file from the
source package in plugins/plugin-list.json into /usr/share/liferea/
and then patching the plugin-installer.py to use a file:// URL instead.

I have tested this fix by editing the files locally, all of the
functionality of the Plugins dialog works, including downloading
and installing not yet installed plugins.

In addition, the plugin installation just downloads the plugins with
git clone, which seems a bit insecure, but this is dropped in 1.16-RC3,
and it is at least protected by TLS. It might be worth packaging some
of the popular liferea plugin packages from the list for Debian.

This is the crash seen on the console when opening the menu item:

   Traceback (most recent call last):
     File "/usr/lib/x86_64-linux-gnu/liferea/plugins/plugin-installer.py", line 
63, in _run
       self._browser = PluginBrowser()
                       ~~~~~~~~~~~~~^^
     File "/usr/lib/x86_64-linux-gnu/liferea/plugins/plugin-installer.py", line 
92, in __init__
       self._plugin_list = self.fetch_list()
                           ~~~~~~~~~~~~~~~^^
     File "/usr/lib/x86_64-linux-gnu/liferea/plugins/plugin-installer.py", line 
168, in fetch_list
       resp = urllib.request.urlopen(req).read()
              ~~~~~~~~~~~~~~~~~~~~~~^^^^^
     File "/usr/lib/python3.13/urllib/request.py", line 189, in urlopen
       return opener.open(url, data, timeout)
              ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
     File "/usr/lib/python3.13/urllib/request.py", line 495, in open
       response = meth(req, response)
     File "/usr/lib/python3.13/urllib/request.py", line 604, in http_response
       response = self.parent.error(
           'http', request, response, code, msg, hdrs)
     File "/usr/lib/python3.13/urllib/request.py", line 533, in error
       return self._call_chain(*args)
              ~~~~~~~~~~~~~~~~^^^^^^^
     File "/usr/lib/python3.13/urllib/request.py", line 466, in _call_chain
       result = func(*args)
     File "/usr/lib/python3.13/urllib/request.py", line 613, in 
http_error_default
       raise HTTPError(req.full_url, code, msg, hdrs, fp)
   urllib.error.HTTPError: HTTP Error 404: Not Found

-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.25-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages liferea depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.16.2-2
ii  dbus-x11 [dbus-session-bus]                   1.16.2-2
ii  gir1.2-freedesktop [gir1.2-libxml2-2.0]       1.84.0-1
ii  gir1.2-gtk-3.0                                3.24.49-3
ii  gir1.2-peas-1.0                               1.36.0-3+b4
ii  libc6                                         2.41-7
ii  libfribidi0                                   1.0.16-1
ii  libgdk-pixbuf-2.0-0                           2.42.12+dfsg-2
ii  libgirepository-1.0-1                         1.84.0-1
ii  libglib2.0-0t64                               2.84.1-1
ii  libgtk-3-0t64                                 3.24.49-3
ii  libjavascriptcoregtk-4.1-0                    2.48.1-2
ii  libjson-glib-1.0-0                            1.10.6+ds-2
ii  libpango-1.0-0                                1.56.3-1
ii  libpeas-1.0-0                                 1.36.0-3+b4
ii  libsoup-3.0-0                                 3.6.5-1
ii  libsqlite3-0                                  3.46.1-4
ii  libwebkit2gtk-4.1-0                           2.48.1-2
ii  libxml2                                       2.12.7+dfsg+really2.9.14-0.4
ii  libxslt1.1                                    1.1.35-1.2
ii  liferea-data                                  1.15.8-2
ii  python3                                       3.13.3-1
ii  python3-cairo                                 1.27.0-2
ii  python3-gi                                    3.50.0-4+b1
ii  python3-gi-cairo                              3.50.0-4+b1
ii  python3-notify2                               0.3.1-1
ii  python3.13                                    3.13.3-2

Versions of packages liferea recommends:
ii  gir1.2-gstreamer-1.0  1.26.0-3
ii  gir1.2-notify-0.7     0.8.6-1

Versions of packages liferea suggests:
ii  kget             4:24.12.3-2
ii  network-manager  1.52.0-6

-- no debconf information

-- 
bye, pabs https://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part