Comment 1 for bug 1432516

Revision history for this message
Johannes Meixner (jsmeix) wrote :

Our SUSE security team informed me about that issue.

Meanwhile the issue was reported 11 weeks ago and
up to now there is no response from HPLIP upstream.

This proves that HPLIP upstream is not really interested
in solving security issues sufficiently.

In the past there have been varios security issues in HPLIP.
The HPLIP software is full of various kind of security issues.

I do not have the time to continuously fix security bug after
security bug after security bug in a software where upstream
introduces security issue after security issue after security issue
and where upstream introduces functionality that is "by design"
a security issue for a Linux distributor - at least for SUSE.

The only thing what I am willing to do here is to disable the whole
hp-plugin proprietary driver download functionality in HPLIP
like I had already disabled the whole hp-upgrade functionality.

The root of this issue is the same as it was for the
hp-upgrade functionality:

HPLIP downloads and installs software onto a user's system
that is not from the Linux distributor (i.e. third-party software).

The hp-upgrade functionality downloads and installs
a whole HPLIP upgrade, the hp-plugin functionality
downloads and installs proprietary driver/firmware.

This behaviour is a generic security issue for a Linux distributor
who provides maintenance (in particular security updates)
for his users.

I have alredy explained that, see my
"Explanation why I cannot run hp-config_usb_printer via udev:" in
https://bugs.launchpad.net/hplip/+bug/1220628/comments/18

Accordingly it seems I must disable the whole hp-plugin proprietary
driver/firmware download functionality in HPLIP for SUSE.

As a positive side-effect users who use HPLIP from SUSE
would be no longer affected by the gpg key issue here.

It could be seen as a negative consequence when then
HPLIP from SUSE does no longer support that
weak cheap printers that need proprietary stuff.

From my point of view as HPLIP package maintainer at SUSE
this is even also a positive consequence because then
users with such printers must actively download and
install HPLIP directly from HP and then issues with HPLIP
for such printers do no longer bother me but only HP.

Of course normal printers "just work" with free software
including the free parts of HPLIP that SUSE provides.