Package: rclone-browser Version: 1.8.0-5 Severity: serious Justification: privacy leak without user consent User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu plucky
Downstream bug: https://bugs.launchpad.net/ubuntu/+source/rclone-browser/+bug/2059246 I haven't fully verified this report, but based on an examination of the source it seems credible. It looks like this program will make a call out to https://api.github.com/ by default, which at a minimum leaks to a third party that the user is using this program. In general, Debian users expect that third parties cannot audit what programs they are using, so this is a privacy violation. I think that: 1) The setting that controls this behaviour should disabled by default as is appropriate for distribution packaging. 2) It might be appropriate to remove (or otherwise make inactive) this setting entirely, since for a distribution package, "checking" for updates makes no sense as it should happen by apt instead, and the user choosing to install a distribution package using apt is deliberately opting in to apt-based package update management. I suggest a patch something along the lines of the following (untested): --- a/src/preferences_dialog.cpp +++ b/src/preferences_dialog.cpp @@ -93,10 +93,8 @@ ui.defaultRcloneOptions->setText( settings->value("Settings/defaultRcloneOptions").toString()); - ui.checkRcloneBrowserUpdates->setChecked( - settings->value("Settings/checkRcloneBrowserUpdates", true).toBool()); - ui.checkRcloneUpdates->setChecked( - settings->value("Settings/checkRcloneUpdates", true).toBool()); + ui.checkRcloneBrowserUpdates->setChecked(false); + ui.checkRcloneUpdates->setChecked(false); if (QSystemTrayIcon::isSystemTrayAvailable()) { ui.alwaysShowInTray->setChecked( --- a/src/preferences_dialog.ui +++ b/src/preferences_dialog.ui @@ -299,6 +299,9 @@ </property> <item> <widget class="QCheckBox" name="checkRcloneBrowserUpdates"> + <property name="enabled"> + <bool>false</bool> + </property> <property name="toolTip"> <string><html><head/><body><p>check daily for Rclone Browser availability</p></body></html></string> </property> @@ -309,6 +312,9 @@ </item> <item> <widget class="QCheckBox" name="checkRcloneUpdates"> + <property name="enabled"> + <bool>false</bool> + </property> <property name="toolTip"> <string><html><head/><body><p>check daily for rclone availability</p></body></html></string> </property> --- a/src/main_window.cpp +++ b/src/main_window.cpp @@ -525,10 +525,7 @@ settings->value("Settings/rcloneVersion").toString(); // during first run the key might not exist yet - if (!(settings->contains("Settings/checkRcloneUpdates"))) { - // if checkRcloneUpdates does not exist create new key - settings->setValue("Settings/checkRcloneUpdates", true); - }; + settings->setValue("Settings/checkRcloneUpdates", false); bool checkRcloneUpdates = settings->value("Settings/checkRcloneUpdates").toBool(); @@ -603,10 +600,7 @@ /// check rclone browser version // during first run the key might not exist yet - if (!(settings->contains("Settings/checkRcloneBrowserUpdates"))) { - // if checkRcloneBrowserUpdates does not exist create new key - settings->setValue("Settings/checkRcloneBrowserUpdates", true); - }; + settings->setValue("Settings/checkRcloneBrowserUpdates", false); bool checkRcloneBrowserUpdates = settings->value("Settings/checkRcloneBrowserUpdates").toBool();
signature.asc
Description: PGP signature
