View Single Post
Old 07-02-2017, 01:48 AM   #12
eschwartz
Ex-Helpdesk Junkie
eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.
 
eschwartz's Avatar
 
Posts: 19,421
Karma: 85400180
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
Quote:
Originally Posted by norbusan View Post
Indeed, both are needed, that is true.

I have made unrar packages that include the libunrar.so(.5) and sent the patches to the maintainer. Next I will package python2-unrardll and will upload it to the non-free archive.

With the maintainer of Calibre we will discuss how to handle the errors in case python2-unrardll is not installed.

Discussions about DFSG are useless - I am at many times not happy either, but that doesn't help ;-)

Thanks
Don't see any bugreports in my admittedly inexpert search of the Debian bugtracker.

Note also that while you are fixing things, since you seem to be somewhat invested in Debian packaging for calibre ...

It would be nice if Debian would stop shipping downstream manpages for binaries that no longer exist at all, and start shipping the desktop files, icons and other XDG stuff that calibre does try to install. The fact that Debian has essentially forked calibre's system integration entirely with a vastly inferior downstream version is... well, I would say troubling except I don't actually have to deal with it on a personal level.
It also causes occasional bugreports both for Debian/Ubuntu and occasionally mis-aimed at calibre itself, when people want to know why there are problems with the desktop files/icons.

Also if you could bug someone to re-enable the update notifier, that would be much obliged. There is a checkbox to disable the notifications if someone doesn't want to get told when Debian is running behind upstream releases, and more importantly, it also handles the plugin notifications. Which were erroneously patched out based on the absolutely shoddy logic that "It uses a totally non-authenticated and non-trusted way of installing arbitrary code."
calibre plugins are curated by the moderators here before being linked to the plugin index, so the only possible danger ever was a man-in-the-middle attack between MobileRead --> calibre-ebook.com --> user. I suppose some Debian busybodies believe anything that wasn't downloaded directly from the Debian repositories is somehow horribly dangerous or at least highly suspicious.
And calibre-ebook.com has served the plugin downloads via HTTPS for a long time, so any MiTM injecting malicious code while Kovid was running the scraper for updated plugins, would be noticed if all calibre users were getting malware.
And MobileRead itself is now also HTTPS-enabled so that isn't a problem either.

See this bug -- and from the way the reporter described it, I am not at all sure he even uses the software, because he certainly didn't check to see how the feature operates. He might be shocked to learn that the question_dialog does indeed require user interaction, and appears whenever a plugin is installed whether via the plugin index or manually loaded from a file.
It is of course patently obvious that he never bothered asking upstream whether any security checks were done, or requesting such -- just reflexively disabling things willy-nilly.
eschwartz is offline   Reply With Quote