Package: sweethome3d Version: 4.3+dfsg-2 Severity: serious I've only tested 4.3+dfsg-2 (through Ubuntu 14.04), but I see nothing in changelogs to suggest that this behaviour has changed more recently.
By default, sweethome3d calls home by making an HTTP request to http://www.sweethome3d.com/SweetHome3DUpdates.xml. This is a privacy leak. It is configurable once the program is started, however. Expected behaviour: in Debian, this should be patched to be turned off by default. Serious severity justification: I cannot find a reference, but I believe that this is frowned upon enough in Debian to make the package unfit for release. If I'm wrong, I'm happy to be corrected. Thanks, Robie
signature.asc
Description: Digital signature