I just opened an issue about it: https://github.com/LemmyNet/lemmy/issues/4744
Lemmy maintainer
I just opened an issue about it: https://github.com/LemmyNet/lemmy/issues/4744
This, particularly reports are not fully federated.
Well written, it would deserve a separate post.
One of the comments mentions that another app can trigger search through an Android intent. So its better to be safe and close any potential vulnerabilities, but this doesnt seem particularly useful for an attacker.
Im a former contributor to F-Droid with various merged pull requests. Looking at the indicated pull request I really doubt that it was an intentional attack. First of all its easy to forget for a new developer to escape SQL parameters, and the docs dont even mention a risk of SQL injection attacks. And of the users pushing for the PR to be merged, one is a long-time F-Droid contributor, and the other also looks like a real human with many contributions in other repos, so no sockpuppets in sight.
It simply looks like standard open source behaviour, for better or for worse. A new user makes a contribution for a highly demanded feature, and users want it to get merged as soon as possible. Maintainers are discussing the big picture of the change and want to avoid breaking changes, without getting into code review yet. The new contributor seems unwilling to make any design changes to his PR, and gets frustrated that it doesnt get merged as is. The potential vulnerability is only noticed half a year after the PR was opened, at which point it was already de facto abandoned. So not an attack, but simply a developer who is new to open source and doesnt understand how the process works.
We applied for funding last August, but unfortunately we are still waiting for it to be finalized. Seems like NLnet is quite overloaded these days.
So much for “Microsoft ❤️ open source”
Alright Ive added @kevincox@lemmy.ml, @CrypticCoffee@lemmy.ml and @Lettuceeatlettuce@lemmy.ml as mods and removed the inactive ones.