[Wylug-discuss] advice on ebook reader or similar...

Smylers Smylers at stripey.com
Fri Nov 4 10:43:27 UTC 2011 

In September Dave Fisher wrote:

> 2. Whichever reader you go for, install the Linux-based Calibre
> library manager

Anybody using Calibre should be aware of this bug report, the comments
on it, and the Calibre developer's attitude to, among other things,
security vulnerabilities: https://bugs.launchpad.net/calibre/+bug/885027

If you installed Calibre from your OS's package then you're probably
safe (many seem to remove the risky part). And if you're the only user
of your computer (or all users have full sudo access) then the
particular vulnerabilities here probably aren't a risk for you either.

So for most users, no need to panic about this particular set of bugs.

I'd be more concerned that Calibre bundles unrelated functionality
(duplicating what an OS should provide) that you quite possibly wouldn't
be expecting; that it's clearly been developed without security concerns
being taken into account from the start, despite the developer knowing
about the inherent risks in using setuid; that as each security bug is
reported the developer looks in each case to do the minimum to identify
and block that specific situation, rather than switching to a wholesale
way of being inherently more secure; that the developer prioritizes
minor convenience for users of ancient and esoteric Linux distributions
(being able to download Calibre from its website and run it without
having to install any other dependencies or optional OS-provided
packages) over being secure for all users; that the developer thinks
that security problems for some groups of users, such a University
providing a computer lab of multi-user computers, aren't important or
worth mentioning, because they won't affect most users; that the
developer doesn't believe in security in depth -- being content to let
Calibre enable users to perform certain actions as root so long as
exploiting them would also require bugs in some other software; and that
the developer is so rude and dismissive to those reporting security
issues.

Smylers

More information about the Wylug-discuss mailing list