前幾天頗熱門的消息,StarDict 的預設安裝下,會將剪貼簿的內容透過 HTTP 傳到中國的伺服器上:「StarDict sends X11 clipboard to remote servers (lwn.net)」,文章是 LWN 的付費內容,所以連結是 SubscriberLink 分享出來的:「StarDict sends X11 clipboard to remote servers」。
整串 mailing list 上的討論可以在「Debian Bug report logs - #1110370 stardict-plugin: CVE-2025-55014: YouDao plugin sends the user's selection from other apps to Chinese servers」這邊看到,不長但有不少訊息透露出來。
其中一個點會發現這個套件不是第一次了:
- 2009 年的「Debian Bug report logs - #534731 stardict broadcasts clipboard context over network」,
- 2011 年的「Debian Bug report logs - #613236 stardict: Always uses Dict.cn even when net dictionnaries are disabled」,
- 2015 年的「Debian Bug report logs - #806960 Stardict leaking user data in default configuration.」,
- 這次 2025 年的「Debian Bug report logs - #1110370 stardict-plugin: CVE-2025-55014: YouDao plugin sends the user's selection from other apps to Chinese servers」。
可以看到類似的問題不斷的在重複發生。
另外一個問題是現任 maintainer 的問題,在 id=44879832 提到的:
It's clearly a defensive excuse, as it is extremely unrealistic to expect final users to read all the docs of all the dependencies of a Linux distro. It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.
It could be that they were caught with their pants down and posted an ill-thought response, but I'd lean strongly towards malice with such a poor defense, it borders on confession. Clipboards are one of the most critical privacy/security features, you don't ever want to leak them unintentionally.
在 id=44889789 則是更清楚描述了信任關係:
> It's the responsibility of the maintainer to read the subset of docs relevant to the package(s) they're contributing, not the user's.
I agree a lot with this. You're supposed to trust your distributions packages. If you can't trust your distro, who can you trust? If you don't, find one you do trust, as that's a viable alternative. If none are trustworthy to you, then the only real option is to become your own package maintainer and have fun with Linux From Scratch.
使用這個 distribution (這邊是 Debian),代表你需要信任這個 distribution,而這次的情況可以看出,身為這個 distribution 的 official package maintainers 之一,對於 privacy issue report 處理的態度已經是 malicious behavior 的等級了。
現在事情被鬧大的以後,才「計畫」要在 3.1 拆出來 (2025/08/09 的回覆),但現在都已經過一個禮拜了,可以從 https://packages.debian.org/search?keywords=stardict 這邊看到完全沒看到 3.1,大概會被三催四請後才丟出來。
![[Billion Meta Lab] 反转·血色百合 Omagoto...](http://pic.microseventh.eu.org/i/2026/01/09/69611dafa7f9f.png)
