Bug#964946: rhythmbox.org domain doesn't belong to GNOME/Rhythmbox

Simon McVittie smcv at debian.org
Tue Aug 18 10:09:24 BST 2020 

Control: severity -1 minor
Control: tags -1 = pending

On Mon, 13 Jul 2020 at 12:02:13 +0530, crvi wrote:
> rhythmbox.org domain doesn't belong to GNOME/Rhythmbox anymore. The domain is
> currently for sale.

The practical impact of this appears to have been: if you visit
[menu] -> Preferences -> Plugins -> any plugin -> About -> Website,
your web browser will open a link to a site that was (at the time) no
longer owned by GNOME.

If that causes your web browser to do something unsafe, even if the
linked site is actively malicious, then your web browser has a security
vulnerability, because general-purpose web browsers are designed to be
safe to use to browse untrusted websites.

I've queued up the patch you suggested for inclusion in the next upload
to unstable, but I'm not going to do an upload just for this.

rhythmbox.org appears to have been reacquired by someone related to
GNOME and/or Rhythmbox (at least, it seems to have
GNOME-media-player-related content), but the patch still seems worthwhile,
because rhythmbox.org seems to be mostly broken.

On Mon, 13 Jul 2020 at 12:38:36 +0530, crvi c wrote:
> severity 964946 critical

This was certainly a bug, but not a critical bug. "critical" is
the highest bug severity used in Debian, and is reserved for packages
that break the entire system, cause serious data loss, or introduce a
system-wide security flaw affecting users who do not directly use the
relevant package.

Even if rhythmbox downloaded and executed code from rhythmbox.org, that
wouldn't qualify as critical (it would be "grave", which is still a very
high severity, but not as high as critical).

Some wrong links, in a part of the user interface that most users aren't
even going to visit, are at most "minor" severity. Please don't increase
the severity of bug reports beyond what is justified: it damages the
ability to triage and prioritize bugs that are genuinely high-impact.

On Mon, 13 Jul 2020 at 13:03:17 +0530, crvi c wrote:
> tags 964946 + security squeeze wheezy jessie stretch buster bullseye sid

Suites older than buster are not supported by Debian package maintainers,
and the default is for bugs to be considered to affect all suites anyway.

Bugs can only be fixed in stable releases with the agreement of the
security or release teams, and they are extremely unlikely to accept an
upload that just changes some wrong website links.

    smcv

More information about the pkg-gnome-maintainers mailing list