[Wylug-discuss] advice on ebook reader or similar...

Smylers Smylers at stripey.com
Wed Feb 1 12:33:44 UTC 2012


Dave Fisher writes:

> On 4 November 2011 10:43, Smylers <Smylers at stripey.com> wrote:
> 
> > Anybody using Calibre should be aware of this bug report, the
> > comments on it, and the Calibre developer's attitude to, among other
> > things, security vulnerabilities:
> > https://bugs.launchpad.net/calibre/+bug/885027
> 
> If anyone is still bothered about this, it may be worth re-visiting
> the bug report.

Thanks for the update, Dave; I hadn't looked at that recently to see if
anything had changed.

> It appears the Calibre's lead developer has fixed the minor bugs and
> removed the entire module which was the source of most concern.

Hmmm, I'd more summarize it as Calibre's developer trying to play
whack-a-mole with security bugs as each exploit was presented but never
actually addressing the underlying problems (such that those trying to
point out the problems could just tweak their exploits to show the hole
in a different way) then eventually getting so frustrated he gave up and
reluctantly removed his bundled mounting feature.

In particular, he didn't take note of the advice being offered by the
security experts and attempt to rewrite the feature in a fundamentally
secure way. Nor did he remove it because he realized it was redundant
and not a feature he should be trying to include.

And his reason for ignoring a test case reported on the bug was that
that reporter was on the developer's ignore list! He seems to relay this
as an unfortunate matter of fact, rather than it actually being entirely
his doing to add that bug reporter, who was providing help, to his
ignore list.

I'm not actually sure that's any kind of improvement.

> It's a shame it took so much effort and bad behaviour to finally bring
> about the 'right thing'.



More information about the Wylug-discuss mailing list