On Mon, 2025-05-05 at 08:22 +0200, Paul Gevers wrote: > 1.16-RC3 is in experimental. Does using that solve the problem well > enough? (It's not 100% clear on my first read of this report).
I haven't tested it, but the commit removes the plugin-installer.py file completely, which is where the bug was. The replacement plugin setup is for folks to manually download, verify, audit and install any plugins that they are intending to use, in theory this fixes all of the issues that I mentioned in my initial report. Except that most plugins won't have any kind of signature to verify, and most users probably won't be doing any kind of code audit, and probably none of the plugins have any social audits in CREV either. https://github.com/crev-dev/ > Can you share what you changed in this bug report? Even if only for stable? In [1] in PluginBrowser in fetch_list, change list_url to [2]. Copy plugins/plugin-list.json from the source package to [2]. 1. /usr/lib/x86_64-linux-gnu/liferea/plugins/plugin-installer.py 2. file:///usr/share/liferea/plugins/plugin-list.json Since the file got re-added upstream, this isn't necessary to fix the breakage, but changing it would fix the privacy issue. There are too many versions in use to change this upstream though. https://repology.org/project/liferea/versions -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
