Package: kodi Version: 2:17.3+dfsg1-2 Severity: grave Tags: security upstream patch Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kodi supports downloading and loading addons at runtime. Official addon feed is served only via http and contain non-free addons. Allowing to extend the system with non-free addons at runtime by default is arguably an anti-feature in itself. Doing so insecurely poses a risk of malicious code getting into users' home and executed by Kodi. Attached patch relaxes to make addon feed optional. I intend to move the addons feed configuration file to a separate package "kodi-repository-kodi" and, at first, ship that package in main recommended by kodi. Later when an alternate package "kodi-repository-curated" is available¹, I intend to favor that over kodi-repository-kodi and move the latter to contrib. - Jonas ¹ I am setting up a web service "addons.debian.net" which (among other things) will provide a curated feed of Kodi plugins, filtered to list only DFSG-free addons. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlnT98AACgkQLHwxRsGg ASFMZxAAgXo0sDusWtQHM8KIRzEeYClOdpuL+91tzCCjgtQaHK2APUx94LyvDYuL rDdv+Ej26g4paCk5tryCLkdwuJmdtpyfV8JlXwgDbPaaZP//fPqMazct+1jcz9bV ALBG74QqFAjgeidUdZ2DlpIpZaCFB1M2Qaf/ertezTLiHu65jtPrLgx5NIsUYjKf sXOdvQl3b0oXC3BABLhKEWzZEoB1L08DgTxn/H/xwMsKvgQ6UIYvBpiloiLIJ/pz DRYvpF0crM3UD+wN53KM6YfzZuFeVeCbL1bZnlzz7Js9FleyFGMx7m6OTtwMIU4p SgtaRm2atNkYrmjN+sjZjOWwGGmyKag7BUNWUDn/L++NZiTvxZ1Qvl1zk3cH9Pp+ pgN4CW1/6PYuj6Q75WPwnyGEaB0jssotCj6aiNF8nBf4IExPQ/o6tvTy3YEyOCfJ woFiX+s1VymJOd7jvUX+h4VaG3adM4u2Ttj3p3E5qP4CjewiR2PC4nqQZymzaWSh i+nSubGZ4mx70PIlSAKoCMptrC1yfRM9u9getz6q/bSWBLd5pO/gM74+MNNqeYj8 JpGebLdzdlRSny0tv3MPGdEl/iwCkhum3Br5UZCq+L1ZM6NsB3e1YGp/6QsYkNAI ecWQGNN5/QEkPqz+uyiynf8FEhZn7GURJ6FiF49JN/T7Ly0oAeQ= =pgk+ -----END PGP SIGNATURE-----
Description: Support omitting addons repository feed Upstream official addon repository feed contain non-free addons. . Extending the system at runtime is arguably an anti-feature - either for political reasons or due to security risks. . This patch makes it possible to omit the addons repository feed. Author: Jonas Smedegaard <d...@jones.dk> Last-Update: 2017-10-03 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/system/addon-manifest.xml +++ b/system/addon-manifest.xml @@ -21,7 +21,7 @@ <addon>metadata.local</addon> <addon>metadata.themoviedb.org</addon> <addon>metadata.tvdb.com</addon> - <addon>repository.xbmc.org</addon> + <addon optional="true">repository.xbmc.org</addon> <addon>resource.images.weathericons.default</addon> <addon>resource.language.en_gb</addon> <addon>resource.uisounds.kodi</addon>
