Bug#923375: brltty breaks usb serial devices; sends potentially harmful data to unknown devices

Wed Feb 27 05:51:52 GMT 2019

Hello,

fluffywolf, le mar. 26 févr. 2019 20:41:54 -0800, a ecrit:
> brltty's default behavior seems to to not just claim all usb serial devices,

No, only of serial devices which have generic USB ids for which there
are known Braille devices using it.

> Some possible suggestions:
>   1) Don't grab any device, or attempt to probe any device, that does not
>   have an id that explicitly and unambiguously identifies it as a 
>   compatible terminal.  Users of other devices would need to manually
>   configure.

Which means they will just not be able to use their hardware. The
Braille device is the *only* way for these users to be able to access
their computer. They can not configure brltty if they can not access
their computer already.

>   2) During install, prompt for whether brltty should be started on boot.

During install, brltty is never installed by default unless such a
device was plugged-in during installation. For the same reason, we do
want to detect those devices with generic USB ids. Otherwise all people
owning these devices will just *not* be able to install Debian.

>   3) During install, prompt the user for their device's port.  If nothing
>   is specified, do not access any ports.

If brltty does not access the port, the user will not get any output,
and thus not be able to ask the user whether he wants to access the
port.

>   4) Don't send data to any unknown device.

Back to square one: some Braille manufacturers do set a generic id only.
And we want to allow users who have them to be able to install and use
Debian.

> Two other open bugs, #667616 and #721763, contain statements that none of
> the above would be acceptable, and the actual bug is that it got installed
> in the first place.

And I still stand by it.

> However, no progress seems to have been made on eliminating any
> dependencies on brltty.

No progress has been made merely because AFAIK there is *no* package
which depends on brltty except brltty drivers, i.e. there is nothing to
fix. If there is, please point me to it and we'll drop the dependency.

> Since brltty is still being installed unexpectedly on some systems,

That's what needs to be debugged.

> My suggestion would be that if brltty is not being used during the
> installation, the user should be prompted whether to enable it on boot,

AFAIK, if brltty is not being used during the installation, it is *not*
getting installed at all.

The only case I am aware of is if you have the serial device with
generic USB id plugged in during installation. Then d-i will start
brltty. But if we disable that, again, a lot of blind users will just
not be able to install Debian.

> Even if the user intentionally installs it, the assumption probably shouldn't
> be that every usb serial device the user may have attached is a compatible 
> terminal,

Again, brltty does *not* assume every usb serial device to be a Braille
device, it only probes serial devices with a generic USB id.

> I think the default as- installed behavior potentially causing harm,
> especially hardware or other physical damage, is itself a critical
> bug that must be addressed.  Installing a package by accident, with
> no further action, should not be harmful to other software or to the
> user's hardware.

Ask modemmanager about this. That one does really probe all serial usb
devices, not only those with a generic USB id.

Samuel