Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy
Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.
Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.
The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.
This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.
Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):
Package: stardict-plugin-network-dictionary
Description: [...]
*Warning*
* The query word will send through the network use plain-text in this plugin!
* Please do *NOT* selects any confidential data to query dictionary
* When enable "Scan" function on stardict, the selected text will sended on the net at once.
Package: stardict-plugin
Suggests: [...]
stardict-plugin-network-dictionary (= ${binary:Version}),
You can expect that any software might do anything, either because of a bug or because it's intentional, and you won't know until you see it happen. It's why the major FOSS licenses say things like THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
You can want software to be well behaved, and in most cases it is. But if you want some level of assurance that the software is behaved as you'd like it, some requirement in law that the software is not allowed to exist unless it meets your requirements, or the platform it runs on is neutered so it literally can't do the thing you don't want it to do -- that's where the tyrant comes in.
You're asking Debian to check out all aspects of a program and hold them liable if it does something you don't like, or their volunteers does something you don't like.
That's not what Debian is doing. Debian is asking for volunteers to package the world's free software, also written by volunteers. They have their own checklists, your "dodgy behaviour" concerns aren't on it. Confirming the software meets your expectations depends on you evaluating it. If it doesn't, you can then volunteer your time to write them a bug report, which they might or might not accept and fix.
They did. The article exists. The package manager behavior was changed accordingly. It doesn't automatically include that plug-in. My understanding was you scoffed at the "paternalism" and said part of the fun is that there might be terrible behaviors. Others disagree.
Indeed there were terrible behaviours, and they were fixed. My scoffing is at people who believe these behaviours should never have happened, or it shouldn't be possible.
Unless there is a omnipotent tyrant, there will be the possibility that you encounter terrible behaviours, and the possibility that those who could fix them, don't. You can try advocating to the maintainer that they should fix it, you can even try leading a campaign against the maintainer. If they still disagree, you can fix it yourself, with the source they gave you, and you can publicise your fixed version, which people might adopt over the other version if enough people agree with you. That is the fun!
Part of the fun of free software is that it might do terrible things. Debian is not a distro that promises you a walled garden run by an iron-fisted tyrant who beats programmers into submission so they'll respect your privacy
Nothing in Debian will install StarDict invisibly. Only you install StarDict. Only you run StarDict.
Wayland is not a panacea. If you want StarDict to translate everything you highlight/clip, you will tell Wayland to let StarDict do that. If Wayland can't do that, it's bad, paternalistic software. There is Android and iOS for idiots who want to be bossed around by their device and have no real freedom.
The real problem are these HTTP lookups by default, which is the fault of the packager, and Debian as a whole for not prodding them into fixing it.
This bug was already reported and fixed as CVE-2009-2260. Then StarDict was kicked out of Debian, and when it came back, so did this bug. The most recent re-reporting of this bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806960 raised in 2015) was fixed a few days ago by removing the dict.cn plugin, 2 days after Vincent Lefevre raised this issue on oss-security-list. He also raised CVE-2025-55014 for another dictionary plugin that sends HTTP requests, which has also been fixed by removing that plugin.
Both plugins should be removed from Trixie as of today, and more appropriately, all the "network dictionaries" are now in their own package (stardict-plugin-network-dictionary), not installed by default (stardict-plugin suggests rather than recommends it):
Changelog: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...
Control: https://salsa.debian.org/debian/stardict/-/blob/debian/trixi...