Package: rclone-browser
Version: 1.8.0-5
Severity: serious
Justification: privacy leak without user consent
User:
ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu plucky
Downstream bug:
https://bugs.launchpad.net/ubuntu/+source/rclone-browser/+bug/2059246
I haven't fully verified this report, but based on an examination of the
source it seems credible.
It looks like this program will make a call out to
https://api.github.com/ by default, which at a minimum leaks to a third
party that the user is using this program.
In general, Debian users expect that third parties cannot audit what
programs they are using, so this is a privacy violation.
I think that:
1) The setting that controls this behaviour should disabled by default
as is appropriate for distribution packaging.
2) It might be appropriate to remove (or otherwise make inactive) this
setting entirely, since for a distribution package, "checking" for
updates makes no sense as it should happen by apt instead, and the user choosing to install a distribution package using apt is deliberately
opting in to apt-based package update management.
I suggest a patch something along the lines of the following (untested):
--- a/src/preferences_dialog.cpp
+++ b/src/preferences_dialog.cpp
@@ -93,10 +93,8 @@
ui.defaultRcloneOptions->setText(
settings->value("Settings/defaultRcloneOptions").toString());
- ui.checkRcloneBrowserUpdates->setChecked(
- settings->value("Settings/checkRcloneBrowserUpdates", true).toBool());
- ui.checkRcloneUpdates->setChecked(
- settings->value("Settings/checkRcloneUpdates", true).toBool());
+ ui.checkRcloneBrowserUpdates->setChecked(false);
+ ui.checkRcloneUpdates->setChecked(false);
if (QSystemTrayIcon::isSystemTrayAvailable()) {
ui.alwaysShowInTray->setChecked(
--- a/src/preferences_dialog.ui
+++ b/src/preferences_dialog.ui
@@ -299,6 +299,9 @@
</property>
<item>
<widget class="QCheckBox" name="checkRcloneBrowserUpdates">
+ <property name="enabled">
+ <bool>false</bool>
+ </property>
<property name="toolTip">
<string><html><head/><bo