Hi XFCE team, I noticed that (1) xfce-base/xfce4-meta unconditionally pulls in xfce-base/tumbler and (2) automatic generation of thumbnails raises security concerns (similar to [1]) and would be ideal to not happen at all on my desktop system given the size of the attack surface and the limited value. I was able to disable some of it in Thunar but tumbler is still runing and xfce-base/xfce4-meta stands in my way of installing it as of today. I'm not sure how okay or not okay XFCE will be without tumbler running or even without xfce-base/tumbler installed: "emerge --depclean xfce-base/tumbler" says it's only xfce4-meta. Would you be open to e.g. change… --- >=xfce-base/tumbler-4.18.0 +++ thumbnails? ( >=xfce-base/tumbler-4.18.0 ) …in the ebuild if feasible? What do you think? Thanks in advance! [1] https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
I don't have a strong opinion. My preference is that "meta" stays whatever upstream defaults to, and if you don't want it, then you don't use "meta".
