Package: enigmail Version: 2:2.0~beta1-1 Severity: normal enigmail 2.0 downloads pepmda from the internet by default, even for users who have not opted into using pep. This includes the following files, which either duplicate code already in debian, or which we don't have source for in debian:
3589171 28708 -rwxr-xr-x 1 tst tst 29394216 Feb 25 14:48 pepmda/bin/pep-json-server 3589180 4 -rw-r--r-- 1 tst tst 1206 Feb 25 14:49 pepmda/release.json 3589178 18816 -rw-r--r-- 1 tst tst 19267584 Feb 25 14:48 pepmda/share/pEp/system.db 3589169 4 -rw-r--r-- 1 tst tst 1150 Feb 25 14:49 pepmda/share/pEp/html/json-test.ico 3589177 4 -rw-r--r-- 1 tst tst 2991 Feb 25 14:49 pepmda/share/pEp/html/index.html 3572660 20 -rw-r--r-- 1 tst tst 18104 Feb 25 14:49 pepmda/share/pEp/html/interactive.js 3589188 84 -rw-r--r-- 1 tst tst 85589 Feb 25 14:49 pepmda/share/pEp/html/jquery-2.2.0.min.js 3534200 4292 -rwxr-xr-x 1 tst tst 4393056 Feb 25 14:48 pepmda/lib/libetpan.so.17 3589184 304 -rw-r--r-- 1 tst tst 308360 Feb 25 14:48 pepmda/lib/libevent-2.0.so.5 3589182 596 -rwxr-xr-x 1 tst tst 610128 Feb 25 14:48 pepmda/lib/libpEpEngine.so 3572662 1796 -rw-r--r-- 1 tst tst 1835928 Feb 25 14:48 pepmda/lib/libstdc++.so.6 3589170 84 -rw-r--r-- 1 tst tst 85112 Feb 25 14:48 pepmda/lib/libgpg-error.so.0 3589189 284 -rw-r--r-- 1 tst tst 289192 Feb 25 14:48 pepmda/lib/libgpgme.so.11 3589185 1064 -rw-r--r-- 1 tst tst 1088904 Feb 25 14:48 pepmda/lib/libsqlite3.so.0 3589183 196 -rw-r--r-- 1 tst tst 198432 Feb 25 14:48 pepmda/lib/libboost_thread.so.1.62.0 3589174 108 -rw-r--r-- 1 tst tst 108816 Feb 25 14:48 pepmda/lib/libz.so.1 3589186 80 -rw-r--r-- 1 tst tst 81560 Feb 25 14:48 pepmda/lib/libassuan.so.0 3589172 608 -rw-r--r-- 1 tst tst 618832 Feb 25 14:48 pepmda/lib/libboost_program_options.so.1.62.0 3589179 96 -rw-r--r-- 1 tst tst 97392 Feb 25 14:48 pepmda/lib/libgcc_s.so.1 3589181 116 -rw-r--r-- 1 tst tst 116672 Feb 25 14:48 pepmda/lib/libboost_filesystem.so.1.62.0 3589173 24 -rw-r--r-- 1 tst tst 22288 Feb 25 14:48 pepmda/lib/libuuid.so.1 3589187 20 -rw-r--r-- 1 tst tst 18520 Feb 25 14:48 pepmda/lib/libboost_system.so.1.62.0 I don't think it is appropriate for a package in debian; users can't ensure that these packages are kept up-to-date (or that they meet debian standards), and they don't necessarily have the free software guarantees that they might expect, even if pep as distributed today is entirely free software. in particular, they are fetched by package/installPep.jsm, which pulls the info about the p≡p library from https://www.enigmail.net/service/getPepDownload.svc, which looks like it permits the controller of https://www.enigmail.net/ to serve arbitrary data (the fingerprints of the files to download are not embedded in the enigmail source). (there are other nagging technical details too, such as this profile not working in a multiarch scenario, but those are secondary to the software freedom and arbitrary code execution concerns above) This appears to remain the situation in subsequent betas of enigmail, so i'm going to raise the concern upstream. I do not think this enigmail should make it into debian unstable with this behavior. While i'm trying to figure out a satisfactory solution with upstream, i'll most likely try to patch this part out if i can figure out how to do so cleanly. --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages enigmail depends on: ii gnupg 2.2.5-1 ii gnupg-agent 2.2.5-1 ii gnupg2 2.2.5-1 ii gpg-agent [gnupg-agent] 2.2.5-1 ii icedove 1:52.4.0-1 ii thunderbird 1:52.6.0-1+b1 Versions of packages enigmail recommends: ii pinentry-gnome3 [pinentry-x11] 1.1.0-1 ii pinentry-gtk2 [pinentry-x11] 1.1.0-1 ii pinentry-qt [pinentry-x11] 1.1.0-1 enigmail suggests no packages. -- no debconf information
