Bug 915597

Summary:	xfce-base/xfce4-meta - for security reasons please support not pulling in xfce-base/tumbler
Product:	Gentoo Linux	Reporter:	Sebastian Pipping <sping>
Component:	Current packages	Assignee:	XFCE Team <xfce>
Status:	CONFIRMED ---
Severity:	normal	CC:	mgorny
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=698706
Whiteboard:
Package list:		Runtime testing required:	---

Description Sebastian Pipping gentoo-dev

2023-10-11 14:45:31 UTC

Hi XFCE team,

I noticed that (1) xfce-base/xfce4-meta unconditionally pulls in xfce-base/tumbler and (2) automatic generation of thumbnails raises security concerns (similar to [1]) and would be ideal to not happen at all on my desktop system given the size of the attack surface and the limited value.  I was able to disable some of it in Thunar but tumbler is still runing and xfce-base/xfce4-meta stands in my way of installing it as of today.

I'm not sure how okay or not okay XFCE will be without tumbler running or even without xfce-base/tumbler installed: "emerge --depclean xfce-base/tumbler" says it's only xfce4-meta.  Would you be open to e.g. change…

  --- >=xfce-base/tumbler-4.18.0
  +++ thumbnails? ( >=xfce-base/tumbler-4.18.0 )
  
…in the ebuild if feasible?  What do you think?  Thanks in advance!

[1] https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

Comment 1 Michał Górny archtester

2023-10-11 15:43:54 UTC

I don't have a strong opinion.  My preference is that "meta" stays whatever upstream defaults to, and if you don't want it, then you don't use "meta".