I get that. Well, not in the linked Facebook case, seeing how much legal attention they have attracted, but in general. And I think that the X server's design is the same. What StarDict did was using an intentional part of the design, not a hack, or exploiting vulnerability. Which is why the Android comparison doesn't stand.

I completely agree. Also, these people have a lot of other assignment, as I imagine. I, for one, have certainly let things slide in the past that ended up biting me, for whatever reason, malice not included.

Absolutely. In my understanding and approach, it would need two smaller modifications:

1. making "scanning" (the clipboard capturing feature opt-in, with a huge notification for the implications

2. disabling the English-Chinese online translation plugin by default

Yeah, I agree, it's tricky. And besides, the clipboard leak should be fixed for sure, malice or not. It's strange that it has been known for so long.

Yes, I do feel strongly about attributing malice to someone who I think didn't warrant it. Especially do I think that they are not malicious, because of the fact that they don't admit to their doing as a security hole, but as functionality. And I do care about security a lot - if this was on my software repository, I'd frankly pull the package until it's fixed.

>why it's not malicious to write and distribute a program that sends passwords and other sensitive information over unencrypted http in 2025

One of the reasons is that it has been like that since at least 2009, so for 16 years.

I'm not defending the bug. It's a glaringly stupid thing to do, and distribute, and it questions the competency of everyone involved. I do maintain that it's not malicious intent.