{{Header}}
{{title|title=
Dev/Debian
}}
{{#seo:
|description=Debian page for developers level
}}
<div class="mininav">
* {{whonix_wiki
|wikipage=Dev/Operating_System
|text=Security-Focused Operating System Comparison as Base for Whonix
}}
* [[Dev/About_Debian_Packaging|Debian Packaging]]
* [[Dev/APT_Pinning|APT Pinning]]
* [[Dev/Debian]]
</div>
{{intro|
Debian page for developers level.
}}
= Debian Signed Source Packages =
Debian source packages are signed by distribution package maintainer.

{{CodeSelect|code=
apt-get source hello
}}

If it shows:

<pre>
gpgv: Can't check signature: public key not found
</pre>

To fix:

{{CodeSelect|code=
sudo apt install debian-keyring
}}

Signatures are in <code>.dsc</code> files and can be verified using <code>dscverify</code>, <code>apt-get</code> or manually using <code>gpg</code>.

= Missing Packages =

== Fully Not Available ==

Note: Excluded Whonix/Kicksecure exclusive packages like sdwdate..etc.

* tirdad [https://github.com/0xsirus/tirdad main] [https://github.com/kicksecure/tirdad kicksecure]
* kloak [https://github.com/vmonaco/kloak main] [https://github.com/Whonix/kloak Whonix]
* Apparmor.d [https://github.com/roddhjav/apparmor.d Link]
* LKRG [https://github.com/lkrg-org/lkrg Link]
* Hardened Malloc [https://github.com/GrapheneOS/hardened_malloc Link]
* onion-grater [https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/onion-grater main] [https://github.com/Whonix/onion-grater whonix]
* Tor Browser (not the downloader) [https://gitlab.torproject.org/tpo/applications/tor-browser Link]
* Peazip [https://github.com/peazip/PeaZip Link]
* Session Messenger [https://github.com/oxen-io/session-desktop Link]
* Element Matrix (called as well element-web) [https://github.com/element-hq/element-web Client] [https://github.com/element-hq/synapse Server]
* Signal Messenger [https://github.com/signalapp/Signal-Desktop Client] [https://github.com/signalapp/Signal-Server Server]

== Partially Not Available ==

Note: Available only in sid/experimental doesnt make it really easily usable/available for stable.

* [https://packages.debian.org/sid/firefox Firefox Rapid Release]
* [https://packages.debian.org/sid/virtualbox VirtualBox]

= Privacy =
== startdict ==
<u>blog post:</u>

[https://linuxiac.com/stardict-plugins-in-debian-13-raise-privacy-concerns/ StarDict Plugins in Debian 13 Raise Privacy Concerns]

<u>Debian bug reports:</u>

'''2009:''' [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731 stardict broadcasts clipboard context over network]

[https://security-tracker.debian.org/tracker/CVE-2009-2260 CVE-2009-2260]

<blockquote>stardict 3.0.1, when Enable Net Dict is configured, sends the contents of the clipboard to a dictionary server, which allows remote attackers to obtain sensitive information by sniffing the network.</blockquote>

resolution:

<blockquote>
* Applied 07_disable_netdict.dpatch: (Closes:#534731) CVE-2009-2260
** disable netdict by default
** giving warning message
* Added --disable-dictdotcn option for CVE-2009-2260
</blockquote>

'''2011:''' [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613236 stardict: Always uses Dict.cn even when net dictionnaries are disabled]

resolution: none

'''2015:''' [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 Stardict leaking user data in default configuration.]

resolution:

<blockquote>
* d/stardict-plugin.install:not install stardict_dictdotcn.so, Closes: #806960
* d/rules:Added --disable-dictdotcn option, dictdotcn is not provid server now
</blockquote>

'''2025:''' [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370 stardict-plugin: CVE-2025-55014: YouDao plugin sends the user's selection from other apps to Chinese servers]

resolution: pending

<u>Debian user mailing list discussion:</u>

* [https://lists.debian.org/debian-user/2025/08/msg00076.html Re: Security: Be careful with StarDict!]

<u>Links to the package:</u>

* https://packages.debian.org/search?keywords=stardict
* https://packages.debian.org/search?keywords=stardict-plugin
* https://packages.debian.org/search?keywords=stardict-gtk
* https://packages.debian.org/source/bookworm/stardict

<u>Link to Debian source code:</u>

* source package: https://salsa.debian.org/debian/stardict
* Debian patches: https://udd.debian.org/patches.cgi?src=stardict

<u>Quotes:</u>

{{quotation
|quote=The stardict-plugin install many plugin for stardict.

YouDao plugin is one of them.
|context=[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110370 stardict-plugin: CVE-2025-55014: YouDao plugin sends the user's selection from other apps to Chinese servers]
}}

<u>Debian changelog excerpt:</u>

<pre>
stardict (3.0.6-0.1) unstable; urgency=medium

  * Non-maintainer upload.

  [ Ondřej Nový ]
  * d/control: Set Vcs-* to salsa.debian.org

  [ Jeremy Bicha ]
  * New upstream release (Closes: #667929, #846283)
  * Include 3.0.3-1 packaging from the VCS that was never uploaded to Debian
  * Update debian/watch
  * Drop patches applied in new release:
    - 07_disable_netdict.patch
    - 10_fix-narrowing.patch
</pre>

{{CodeSelect|code=
reverse-depends stardict
}}

<pre>
Reverse-Recommends
==================
* stardict-czech
* stardict-english-czech
* stardict-german-czech
* stardict-xmlittre
</pre>

{{CodeSelect|code=
reverse-depends stardict-plugin
}}

<pre>
Reverse-Recommends
==================
* stardict-gtk
* stardict-plugin-cal
* stardict-plugin-espeak
* stardict-plugin-festival
* stardict-plugin-fortune
* stardict-plugin-info
* stardict-plugin-spell
</pre>

<u>Interpretation :</u>

'''2010''' Jul 27 as per b85c21b3b03a27bd0fb08c72f3d2e02c87387d29 by Andrew Lee. <ref>
git show b85c21b3b03a27bd0fb08c72f3d2e02c87387d29 debian/patches/07_disable_netdict.patch
</ref>

<pre>
+       add_entry("/apps/stardict/preferences/network/enable_netdict", false);
</pre>

...

'''2018''' Oct 16

<code>07_disable_netdict.patch</code> <ref>
{{CodeSelect|code=
git log --all --full-history -- debian/patches/07_disable_netdict.patch
}}
</ref> did

<pre>
+    label = gtk_label_new(_("Warning: Requests to remote StarDict server are sent over the network in an unencrypted form. Do not enable this if you are translating sensitive documents."));
</pre>

This was removed in 3.0.6-0.1 by Jeremy Bicha with reason "Drop patches applied in new release".

<u>Verdict:</u> TODO

= Installers =
Debian doesn't have an explicit policy that categorically prohibits installers from downloading software from external sources.

The following is a description only. Not a policy.

{{quotation
|quote=no network -- most buildds will have no network access available. Your package build+test process must not attempt to use the network or assume that any network interface is available.
|context=https://wiki.debian.org/buildd
}}

Debian policy.

{{quotation
|quote=The contrib archive area contains supplemental packages intended to work with the Debian distribution, but which require software outside of the distribution to either build or function.
|context=https://www.debian.org/doc/debian-policy/ch-archive.html#the-contrib-archive-area
}}

{{quotation
|quote=Examples of packages which would be included in <code>contrib</code> are:

* free packages which require contrib, non-free packages or packages which are not in our archive at all for compilation or execution,
* and wrapper packages or other sorts of free accessories for non-free programs.
}}

Example installers:

* in <code>contrib</code>: [https://packages.debian.org/torbrowser-launcher <code>torbrowser-launcher</code>]
* in <code>contrib</code>: [http://packages.debian.org/firmware-b43-installer <code>firmware-b43-installer</code>]

{{Footer}}