Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915597 - xfce-base/xfce4-meta - for security reasons please support not pulling in xfce-base/tumbler
Summary: xfce-base/xfce4-meta - for security reasons please support not pulling in xfc...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: XFCE Team
Depends on:
Reported: 2023-10-11 14:45 UTC by Sebastian Pipping
Modified: 2023-10-11 15:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2023-10-11 14:45:31 UTC
Hi XFCE team,

I noticed that (1) xfce-base/xfce4-meta unconditionally pulls in xfce-base/tumbler and (2) automatic generation of thumbnails raises security concerns (similar to [1]) and would be ideal to not happen at all on my desktop system given the size of the attack surface and the limited value.  I was able to disable some of it in Thunar but tumbler is still runing and xfce-base/xfce4-meta stands in my way of installing it as of today.

I'm not sure how okay or not okay XFCE will be without tumbler running or even without xfce-base/tumbler installed: "emerge --depclean xfce-base/tumbler" says it's only xfce4-meta.  Would you be open to e.g. change…

  --- >=xfce-base/tumbler-4.18.0
  +++ thumbnails? ( >=xfce-base/tumbler-4.18.0 )
…in the ebuild if feasible?  What do you think?  Thanks in advance!

Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 15:43:54 UTC
I don't have a strong opinion.  My preference is that "meta" stays whatever upstream defaults to, and if you don't want it, then you don't use "meta".