Hi XFCE team, I noticed that (1) xfce-base/xfce4-meta unconditionally pulls in xfce-base/tumbler and (2) automatic generation of thumbnails raises security concerns (similar to [1]) and would be ideal to not happen at all on my desktop system given the size of the attack surface and the limited value. I was able to disable some of it in Thunar but tumbler is still runing and xfce-base/xfce4-meta stands in my way of installing it as of today. I'm not sure how okay or not okay XFCE will be without tumbler running or even without xfce-base/tumbler installed: "emerge --depclean xfce-base/tumbler" says it's only xfce4-meta. Would you be open to e.g. change… --- >=xfce-base/tumbler-4.18.0 +++ thumbnails? ( >=xfce-base/tumbler-4.18.0 ) …in the ebuild if feasible? What do you think? Thanks in advance! [1] https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
I don't have a strong opinion. My preference is that "meta" stays whatever upstream defaults to, and if you don't want it, then you don't use "meta".
There is also always the option to disable thumbnail generation in /etc/xdg/tumbler/tumbler.rc can even be done selectively.
(In reply to Michał Górny from comment #1) > I don't have a strong opinion. My preference is that "meta" stays whatever > upstream defaults to, and if you don't want it, then you don't use "meta". https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed815a0d0ef88b399ee809edff9db233075e07be could have changed it.
