StarDict sends X11 clipboard to remote servers

Original Article ↗ Hacker News Discussion ↗

Privacy expectations for a “dictionary” app

  • Many commenters find it unacceptable that a locally installed dictionary silently sends clipboard contents to remote servers, especially over plain HTTP.
  • Several argue this breaks a widely held expectation: dictionaries, spellcheckers, and calculators should be fully local unless clearly advertised otherwise.
  • Others note that online translation is common and useful, especially for ESL users, but say this must be opt‑in, clearly disclosed, and encrypted.

Debian’s role, trust, and process

  • Strong sentiment that distribution repositories are trusted sources; users should not have to audit every package and dependency description.
  • Some defend Debian’s culture of privacy‑conscious defaults (e.g. Firefox hardening, lintian checks, opensnitch packaging) but agree policy doesn’t yet codify privacy requirements.
  • The StarDict issue was reported as early as 2009, fixed, then re‑introduced via plugins; critics see this as negligence and evidence Debian’s review isn’t sufficient.
  • Recent changes split network dictionaries into a separate, non‑default package with explicit warnings; some say this is the right fix, others think the software should be dropped entirely.

X11 vs Wayland, and sandboxing

  • One camp highlights Wayland blocking arbitrary clipboard access as an improvement over X11’s “any app can read selections” model.
  • Another calls this a red herring: the core problem is Debian distributing software that exfiltrates data, not the display protocol.
  • There’s debate over “security vs usability”: some want macOS/Android‑style per‑app permissions; others fear a locked‑down, paternalistic ecosystem.

Malice, ignorance, and cultural differences

  • Opinions split on intent:
    • Some see the maintainer’s dismissive response (“user can disable plugins, it’s documented”) as evidence of malicious or at least reckless behavior.
    • Others invoke Hanlon’s razor, pointing to age of the software, common Chinese practices (online IMEs, translators), and lack of HTTPS in that ecosystem.
  • Several note that clipboard contents can include passwords and highly sensitive data; ignoring this in 2025 is seen by some as inexcusable.

Mitigations and broader lessons

  • Suggested defenses: local dictionaries (e.g. WordNet, Wiktionary‑derived sets, alternative tools), firewalling GUI apps (opensnitch, sandboxing, Flatpak), and avoiding obsolete software.
  • Some call for stronger Debian policies on privacy, stricter use of “Recommends”, and better tooling to detect plaintext HTTP and unexpected network access by desktop apps.