[opensuse-project] Re: [opensuse-factory] The release notes/product highlights for 12.1

newer
[opensuse-project] openStack in...

older
[opensuse-project] Re:...

Will Stephenson

24 Oct 2011 24 Oct '11

23:14

On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:

...

I think you could add info on KDE3 being included in 12.1. Possibly it worth mentioning that this makes asylum for at least a part of users who dislike Gnome 3.

This is my strong objection to mentioning KDE 3 in our 12.1 marketing and release notes. SUSE has a long and undistinguished history of letting noisy tails wag the whole dog, but there is no need for the openSUSE project to continue this. Martin Gräßlin approaches the problems facing the Trinity fork of KDE 3 in this article at freiesmagazin [1] (German), but to apply his analysis to the KDE:KDE3 packages and our distribution, and for those who don't read German or trust machine translation, my objection comes down to 2 major things. In case you aren't aware of my qualifications to make this assessment, I've been part of the team maintaining KDE at SUSE for the past 6 going on 7 years. 1) Quality and security. Despite the KDE:KDE3 maintainer's high degree of activity in packaging every KDE 3 app out there and adapting the KDE 3 platform to build on current distributions, it is a mistake to equate this with sufficient maintenance to ensure adequate code quality to include this in our distribution. The KDE 3 and Qt 3 codebases are massive, include code in all the worst places to have a vulnerability, have been essentially unmaintained for over 2 years now, and *include many known bugs and vulnerabilities that have only been fixed in the 4 releases*. Assurances that the project is now maintained upstream by the Trinity project are hollow; the Trinity group is only a handful of people, none of whom are the original maintainers or developers of the code, and most of their effort is spent on writing a Qt4 compatibility layer and in porting the build system to cmake, not maintenance. In any case, the packages in KDE:KDE3 are based on 3.5.10 and only include some changes from the Trinity project's fork, which is now 3.5.12. openSUSE Factory maintainers made an error of judgement to resume including KDE 3 packages while they demonstrably fulfil the latter 3 of our drop criteria [2], and marketing should not join them in this. 2) The message sent by a retrograde step. Being unique in a bad way is not good for the project. Making a thing out of including KDE 3 is saying that we as a project invest energy in going backwards, and push (sorry) futile efforts as features. The set of KDE 3 users who have not yet switched to KDE 4 or to something else is small and we are not going to win more users, more contributors or recognition for the distro by speaking to these users' needs.

...

Also it worth mentioning that openSUSE is the first distribution where KDE3 was returned back.

First and only because major distributions have a vision of where they want to go and how to invest their energy that isn't "be all things to all people, regardless". openSUSE should be a meritocracy, where things that have merit get included, instead of uncritically rewarding any activity.

...

openSUSE is a distro with greatest choice of desktop environments out there which is a major advantage. This became possible due to wonderful OBS.

Yes, the OBS is wonderful, but openSUSE the distribution doesn't have to include everything OBS builds. The OBS and Studio also make it easy to spin your own niche distribution based on openSUSE. Sincerely Will [1] http://www.freiesmagazin.de/mobil/freiesMagazin-2011-09- bilder.html#11_09_trinity [2] http://en.opensuse.org/openSUSE:Factory_drop_policy -- Will Stephenson, openSUSE Team SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Show replies by date

Pascal Bleser

24 Oct 24 Oct

23:41

New subject: [opensuse-project] Re: The release notes/product highlights for 12.1

On 2011-10-25 01:14:31 (+0200), Will Stephenson wrote:

...

On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:

...
I think you could add info on KDE3 being included in 12.1. Possibly it worth mentioning that this makes asylum for at least a part of users who dislike Gnome 3.

This is my strong objection to mentioning KDE 3 in our 12.1 marketing and release notes. SUSE has a long and undistinguished history of letting noisy tails wag the whole dog, but there is no need for the openSUSE project to continue this. [...]

+1 to everything you wrote (and I was a strong proponent of keeping KDE3 with KDE4 in.. I don't even remember which version that was.. :)) But the situation has changed, a lot. KDE3 really is a dead cow. While the point back then was that almost everyone was on KDE3 and that KDE4 wasn't ready for prime time, and that we would alienate a lot of users, this is absolutely not the case any more as of today. Everyone besides a small niche has moved to KDE4, and KDE4 is definitely ready for the job. Let's please, pretty please, not take pointless technical decisions just to have a few more marketing bullet points to sell. Because that's what it really is. cheers -- -o) Pascal Bleser /\\ http://opensuse.org -- we haz green _\_v http://fosdem.org -- we haz conf

Kai-Uwe Behrmann

25 Oct 25 Oct

15:15

New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1

Am 24.10.2011 16:41, schrieb Pascal Bleser:

...

On 2011-10-25 01:14:31 (+0200), Will Stephenson wrote:

...
On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:

...
I think you could add info on KDE3 being included in 12.1. Possibly it worth mentioning that this makes asylum for at least a part of users who dislike Gnome 3. This is my strong objection to mentioning KDE 3 in our 12.1 marketing and release notes. SUSE has a long and undistinguished history of letting noisy tails wag the whole dog, but there is no need for the openSUSE project to continue this. [...]

+1 to everything you wrote (and I was a strong proponent of keeping KDE3 with KDE4 in.. I don't even remember which version that was.. :))

But the situation has changed, a lot. KDE3 really is a dead cow.

The wording of Ilya to call his project KDE3 is unfortunate. But you, and others, take to context and put the word "dead" close to Trinity, which is of course based on KDE3. Still you are not talking about KDE3. You talk about Trinity and the Trinities teams work in this thread. We all know how much of love goes in most peoples projects. It is in most cases a very personal thing. I am shocked seeing you beating a smaller project on this emotional level. Such vocal killings are IMO non sensible, especially so close inside the openSUSE community.

...

Otherwise the openSUSE

community as being welcoming looses value.While the point back then was that almost everyone was on KDE3 and that KDE4 wasn't ready for prime time, and that we would alienate a lot of users, this is absolutely not the case any more as of today. Everyone besides a small niche has moved to KDE4, and KDE4 is definitely ready for the job.

I am pretty sure you have useful arguments about, why you do not want to support a KDE3 fork. That's easily understandable as argument. No need to spread bad feeling around. kind regards Kai-Uwe PS: sorry, if my post distracts from the original topic. But a direct answer seems most appropriate. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Sven Burmeister

17:14

New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1

Am Dienstag, 25. Oktober 2011, 08:15:12 schrieb Kai-Uwe Behrmann:

...

We all know how much of love goes in most peoples projects. It is in most cases a very personal thing. I am shocked seeing you beating a smaller project on this emotional level. Such vocal killings are IMO non sensible, especially so close inside the openSUSE community.

What's so shocking about stating facts? Ignoring facts is shocking and Will gave you facts about the security and maintenance issues. Sven -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Kai-Uwe Behrmann

26 Oct 26 Oct

17:58

New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1

Am 25.10.2011 19:14, schrieb Sven Burmeister:

...

Am Dienstag, 25. Oktober 2011, 08:15:12 schrieb Kai-Uwe Behrmann:

...
We all know how much of love goes in most peoples projects. It is in most cases a very personal thing. I am shocked seeing you beating a smaller project on this emotional level. Such vocal killings are IMO non sensible, especially so close inside the openSUSE community. What's so shocking about stating facts? Ignoring facts is shocking and Will gave you facts about the security and maintenance issues.

I am not shocked about any facts brought up in this discussion. I am shocked about the emotional stressful and disrespectful tone of some posters. That lessens seriously my joy while reading facts. kind regards Kai-Uwe -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Per Jessen

25 Oct 25 Oct

18:03

New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1

Kai-Uwe Behrmann wrote:

...

Am 24.10.2011 16:41, schrieb Pascal Bleser:

...
But the situation has changed, a lot. KDE3 really is a dead cow.

The wording of Ilya to call his project KDE3 is unfortunate. But you, and others, take to context and put the word "dead" close to Trinity, which is of course based on KDE3. Still you are not talking about KDE3. You talk about Trinity and the Trinities teams work in this thread.

We all know how much of love goes in most peoples projects. It is in most cases a very personal thing. I am shocked seeing you beating a smaller project on this emotional level. Such vocal killings are IMO non sensible, especially so close inside the openSUSE community.

Well said. It's not very encouraging for any wanna-be packager or developer out there. -- Per Jessen, Zürich (9.1°C) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Volker Kuhlmann

26 Oct 26 Oct

09:45

New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1

On Tue 25 Oct 2011 12:41:26 NZDT +1300, Pascal Bleser wrote:

...

But the situation has changed, a lot. KDE3 really is a dead cow.

As is KDE4 if it's not really careful really soon.

...

While the point back then was that almost everyone was on KDE3 and that KDE4 wasn't ready for prime time, and that we would alienate a lot of users, this is absolutely not the case any more as of today. Everyone besides a small niche has moved to KDE4, and KDE4 is definitely ready for the job.

It's ready for some jobs, if you're prepared to put up with a lot of nonsense. I was using KDE3 on 11.1 and was looking forward to 11.4 a few months ago. konqueror3 was getting very long in the tooth and failing with lockups on many sites, or failing outright on javascript, but in comparison konqueror4 is just rubbish - it doesn't even handle the pfsense (firewall) UI just to mention one of the many javascript site that actually work in 3 and are dead in 4. I was trying hard to avoid the mozbloat, but bloat beats dead duck. Quite a few apps are nowhere to be seen in KDE4, like quanta. KDE4 has quite some way to go to reach where KDE3 used to be. It's way to buggy. https://bugs.kde.org/show_bug.cgi?id=258916 must about take the prize for duplicates - KDE parts crashing more than once a day and no idea where to start looking for the bug after 9 months. The only KDE bug report I had an instant response to was about the desktop 3D-flipcrap gizmos. I hope that's not indicative for where the development effort is concentrated. Gtk apps are getting steadily better, soon there'll be no point in having KDE at all. With KDE4 not having caught up yet there's talk about qt5. Is that going to be a repeat of years of unfinished deadlined 4 with gutless useless 5? Sure there are a few good things in KDE 4 but sorry the bottom line is a disappointment. I appreciate the apps from 3 that are still around and working. Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Matt Gray

25 Oct 25 Oct

08:33

On 10/25/11 00:14, Will Stephenson wrote:

...

On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:

...
I think you could add info on KDE3 being included in 12.1. Possibly it worth mentioning that this makes asylum for at least a part of users who dislike Gnome 3.

2) The message sent by a retrograde step. Being unique in a bad way is not good for the project. Making a thing out of including KDE 3 is saying that we as a project invest energy in going backwards, and push (sorry) futile efforts as features. The set of KDE 3 users who have not yet switched to KDE 4 or to something else is small and we are not going to win more users, more contributors or recognition for the distro by speaking to these users' needs.

For what it is worth I am agreed with Will. It is a fine thing that opensuse is flexible thing interested in accommodating the needs of many, but marketing what is demonstrably the past will not help opensuse grow, and will distract potential users from the real innovations contained therein. Regards M -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

08:57

Le 25/10/2011 10:33, Matt Gray a écrit :

...

It is a fine thing that opensuse is flexible thing interested in accommodating the needs of many, but marketing what is demonstrably the past will not help opensuse grow, and will distract potential users from the real innovations contained therein.

I don't agree. I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)? But the fact that openSUSE follow the user for a long time is very good. New user may be glad to understand that openSUSE wont let him down at the next unnecessary change, if ever once kde developpers (or any other) want to change to what ever they imagine is better, like they did for kde3->kde4. What do think koffice users? This don't mean we have to follow everything, but is some users are voluteer enough to make a follow up, we have to thank them and advertise the result. If not, why advertise evergreen? or Tumbleweed (how many maintainer have them??) Of course, we have to word this accordingly. having kde3 is not the last brand new info, but having a "we wont let you alone" chapter is good. jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Pascal Bleser

09:27

On 2011-10-25 10:57:48 (+0200), jdd wrote:

...

Le 25/10/2011 10:33, Matt Gray a écrit :

...
It is a fine thing that opensuse is flexible thing interested in accommodating the needs of many, but marketing what is demonstrably the past will not help opensuse grow, and will distract potential users from the real innovations contained therein.

I don't agree.

I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)?

Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3 and KDE3 have you done to question his opinion on this ? Thought so, so it's "yes". There are lots and lots of places in the code base that are potentially subject to security issues. If you're not a software developer, then please take the word of a software developer for it. Please show some respect for the opinion of the people who have a clue here. And it doesn't get more experienced in this topic than with Will.

...

But the fact that openSUSE follow the user for a long time is very good.

Depends, it also has a high cost in maintenance. We can't have both new features and dragging along barely maintained stuff for ages. It might make sense in very specific situations (such as when KDE4 wasn't really ready for broad usage), but not in this case.

...

New user may be glad to understand that openSUSE wont let him down at the next unnecessary change, if ever once kde developpers (or any other) want to change to what ever they imagine is better, like they did for kde3->kde4.

If they care about that, we already "let them down" because of the rather short lifetime. And if upstream (the KDE developers, in this case) changes the software, we cannot do anything about it, that's just how it works. Actually, as Will said, even shipping KDE3 with the distribution is wrong in the first place, as we have no idea how long the few people who currently maintain KDE3 will be able to keep up their work. And it puts a heavy burden on the security and KDE teams at openSUSE, because they will be the ones who will have to fix the security issues when they arise, if it isn't done by the current KDE3 maintainers upstream. And we all only have so much time in a day: what needs to be done there will take time to do other (undoubtedly more useful) stuff elsewhere.

...

This don't mean we have to follow everything, but is some users are voluteer enough to make a follow up, we have to thank them and advertise the result. If not, why advertise evergreen? or Tumbleweed (how many maintainer have them??)

Of course, we have to word this accordingly. having kde3 is not the last brand new info, but having a "we wont let you alone" chapter is good.

But still, it's just wrong to advertise that as a new feature of 12.1 and to emphasize it. If the handful of people who currently maintain KDE3 give up, which is very likely to happen because: 1) almost no one uses KDE3 any more, so the effort is rather futile, 2) they're just a handful of people and it's doubtful they know their way around the code base that well ... then what? That boldly advertised great new feature of 12.1 will explode in our face. Well, not your face, you won't have to maintain the code base. Really, having it in the distro is wrong in the first place, and advertising it boldly as an important new feature of 12.1 will only make matters worse. cheers -- -o) Pascal Bleser /\\ http://opensuse.org -- we haz green _\_v http://fosdem.org -- we haz conf

jdd

09:38

Le 25/10/2011 11:27, Pascal Bleser a écrit :

...

...
I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)?

Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3 and KDE3 have you done to question his opinion on this ?

and why should I have? All the ports of my computer are closed and I don't use kde for browsing, my firewall is up. where can I have problems? I see in the wild many package that are not maintained, think of wodim, for example. I agree that kde if a big one :-). But still, what harm can do it's use? better do you have any example of big problems really seen?

...

But still, it's just wrong to advertise that as a new feature of 12.1 and to emphasize it.

of course it's not a "new" feature

...

If the handful of people who currently maintain KDE3 give up, which is very likely to happen because: 1) almost no one uses KDE3 any more, so the effort is rather futile,

is there a real way to know that? (obs statistics?)

...

2) they're just a handful of people and it's doubtful they know

looks like that people are only packaging. so yes, soon or late we will have to let this out, like we will have to let out 11.1 jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Vincent Untz

09:41

Le mardi 25 octobre 2011, à 11:38 +0200, jdd a écrit :

...

Le 25/10/2011 11:27, Pascal Bleser a écrit :

...
...
I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)?

Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3 and KDE3 have you done to question his opinion on this ?

and why should I have? All the ports of my computer are closed and I don't use kde for browsing, my firewall is up.

where can I have problems?

Vulnerabilities do not always come from ports that are open. It can be a PDF file that is mis-interpreted, for instance... Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

09:58

Le 25/10/2011 11:41, Vincent Untz a écrit :

...

Vulnerabilities do not always come from ports that are open. It can be a PDF file that is mis-interpreted, for instance...

well... and then? I don't want to be too long, nor hijack a thread. but have real threat be signaled against kde3 (links, please)? I mean, it's the same as using any distro: there are major bugs that have to be fixed for security (ssh bug, firefox ones...), and usual bugs that may give data loss but we can live with. for me security is the risk of opening my computer to bad people. is there a known list of major such security break in kde3? (it's a real question, I hope you can say yes and give me the link) I say so, because I every day experiment situations where security is more an obsessive compulsion than a real threat. This is not a bad thing when dealing with new products, but don't have to go too far. I "manage" a server driven by a debian 3.0 not updated since ages and never compromised - I simply can't update it (hardware too old) and work on openSUSE when I should take time building a replacement server. It runs since year 2000 and I wonder why it's still up and running :-). I don't advertise anybody to do the same, only that the risk may not be always as big as one think jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Vincent Untz

10:03

Le mardi 25 octobre 2011, à 11:58 +0200, jdd a écrit :

...

Le 25/10/2011 11:41, Vincent Untz a écrit :

...
Vulnerabilities do not always come from ports that are open. It can be a PDF file that is mis-interpreted, for instance...

well... and then?

I don't want to be too long, nor hijack a thread. but have real threat be signaled against kde3 (links, please)?

I was just answering to your mail where you implied there was no risk for you since you had no open ports. I have no idea about KDE 3 security in general... Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Robert Schweikert

11:17

On 10/25/2011 05:58 AM, jdd wrote:

...

Le 25/10/2011 11:41, Vincent Untz a écrit :

...
Vulnerabilities do not always come from ports that are open. It can be a PDF file that is mis-interpreted, for instance...

well... and then?

I don't want to be too long, nor hijack a thread. but have real threat be signaled against kde3 (links, please)?

I mean, it's the same as using any distro: there are major bugs that have to be fixed for security (ssh bug, firefox ones...), and usual bugs that may give data loss but we can live with.

for me security is the risk of opening my computer to bad people.

is there a known list of major such security break in kde3? (it's a real question, I hope you can say yes and give me the link)

Will already answered this question about 20 minutes prior to your post: "http://www.kde.org/info/security/ is a start. Nobody cares to systematically correlate bugs found and fixed in KDE 4 with KDE 3 any more though. Some maintainers have mass-closed their KDE 3 bugs. The Trinity bugtracker is mainly concerned with integration issues with recent Kubuntu releaeses. I occasionally get a CVE vs KDE 3 code which I fix, but there must be a lot of stuff getting by, simply due to the high degree of commonality of non-Plasma KDE3 and KDE4 code. " Later, Robert -- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

11:33

Le 25/10/2011 13:17, Robert Schweikert a écrit :

...

Will already answered this question about 20 minutes prior to your post:

seems like some posts go to project and some others to factory

...

correlate bugs found and fixed in KDE 4 with KDE 3 any more though. Some

do you mean kde3 and kde4 suffers same bugs? I got the image than kde3 and kde4 where completely different coding jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Robert Schweikert

11:38

On 10/25/2011 07:33 AM, jdd wrote:

...

Le 25/10/2011 13:17, Robert Schweikert a écrit :

...
Will already answered this question about 20 minutes prior to your post:

seems like some posts go to project and some others to factory

Yes, the problem with people cross-posting, annoying.

...

...
correlate bugs found and fixed in KDE 4 with KDE 3 any more though. Some

do you mean kde3 and kde4 suffers same bugs?

No it means that no one is tracking the existing security vulnerabilities in KDE3 anymore because the majority of KDE developers have moved on to the current version.

...

I got the image than kde3 and kde4 where completely different coding

jdd

-- Robert Schweikert MAY THE SOURCE BE WITH YOU SUSE-IBM Software Integration Center LINUX Tech Lead rjschwei@suse.com rschweik@ca.ibm.com 781-464-8147 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

11:45

Le 25/10/2011 13:38, Robert Schweikert a écrit :

...

...
do you mean kde3 and kde4 suffers same bugs?

No it means that no one is tracking the existing security vulnerabilities in KDE3 anymore because the majority of KDE developers have moved on to the current version.

yes, this is obvious (for me, at least), but kde3 was pretty stable and old code, so on 5 years old computer like the one is use right now, it should be good. I of course do not think using kde3 is the next glorious thing to do , but I see this pretty near to evergreen that was pretty well received and if I didn't miss something need also a new maintainer. but your last proposal (other mail), of letting such thing in a special section is good (see factory list for people only within project, I don't know when, but some posts are cross posted, but not all) jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Sebastian Kügler

15:11

On Tuesday, October 25, 2011 11:58:29 jdd wrote:

...

is there a known list of major such security break in kde3?

You can answer that one yourself, a good start are security fixes which never made it into Qt3. To give you a headstart, I would not use SSL for anything from Qt3 since the certificates it shipped have never been updated -- and that's just a very recent one one can find without digging. There are so many security-critical components in there, it's not even funny. I'd strongly advise against using KDE3 nowadays, and would certainly not advertise it. So yes, there are _real_ security problems when using KDE 3. It's basically one big brown paperbag filled brown paper bags. -- sebas http://www.kde.org | http://vizZzion.org | GPG Key ID: 9119 0EF9 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

16:31

Le 25/10/2011 17:11, Sebastian Kügler a écrit :

...

On Tuesday, October 25, 2011 11:58:29 jdd wrote:

...
is there a known list of major such security break in kde3?

You can answer that one yourself,

if I ask, it's because I can't a good start are security fixes which never

...

made it into Qt3. To give you a headstart, I would not use SSL for anything from Qt3 since the certificates it shipped have never been updated

never since qt3 was released or since kde3 was dropped? -- and

...

that's just a very recent one one can find without digging. There are so many security-critical components in there, it's not even funny. I'd strongly advise against using KDE3 nowadays, and would certainly not advertise it.

So yes, there are _real_ security problems when using KDE 3. It's basically one big brown paperbag filled brown paper bags.

do you have practical example of problems? If we should have problems each time a certificate is obsolete, internet would be down for long (may be it is :-) - this erros I have twice a day when surfing jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Rajko M.

26 Oct 26 Oct

01:36

On Tuesday, October 25, 2011 11:31:08 AM jdd wrote:

...

do you have practical example of problems?

Recently one certification authority (company) was removed from all browsers that are still maintained. Reason for that is that they were tricked to issue few fake certificates. KDE3 list is not updated so users are vulnerable. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

06:53

Le 26/10/2011 03:36, Rajko M. a écrit :

...

On Tuesday, October 25, 2011 11:31:08 AM jdd wrote:

...
do you have practical example of problems?

Recently one certification authority (company) was removed from all browsers that are still maintained. Reason for that is that they were tricked to issue few fake certificates. KDE3 list is not updated so users are vulnerable.

but do you know of computer compromised by this? When I mean practical, I mean real problem, not virtual ones. For example what the fake certificates where used for? I doubt every server is updated (in fact I know many are not). But I would like to know if some (many?) linux (all distros) servers are compromised. Given Linux is claimed to be very secure, I'm pretty sure that news papers would like to bash us if they could. again it's not to say we don't have to update, only to try eveluating the risk thanks jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Ludwig Nussel

07:05

jdd wrote:

...

Le 26/10/2011 03:36, Rajko M. a écrit :

...
On Tuesday, October 25, 2011 11:31:08 AM jdd wrote:

...
do you have practical example of problems?

Recently one certification authority (company) was removed from all browsers that are still maintained. Reason for that is that they were tricked to issue few fake certificates. KDE3 list is not updated so users are vulnerable.

but do you know of computer compromised by this? When I mean practical, I mean real problem, not virtual ones. For example what the fake certificates where used for?

Well, you have to ask some affected Iranian. This list likely has the wrong audience. Anyways, in general no package must include it's own list of root CA certificates but rather use the distro provided defaults. If you find some package that includes it's own list please file a bug and let the package maintainer fix it (CC security). Should be an easy task. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Rajko M.

27 Oct 27 Oct

00:18

On Wednesday, October 26, 2011 02:05:37 AM Ludwig Nussel wrote:

...

Anyways, in general no package must include it's own list of root CA certificates but rather use the distro provided defaults. If you find some package that includes it's own list please file a bug and let the package maintainer fix it (CC security). Should be an easy task.

Is that valid for Mozilla products and Chromium? -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Ludwig Nussel

06:43

Rajko M. wrote:

...

On Wednesday, October 26, 2011 02:05:37 AM Ludwig Nussel wrote:

...
Anyways, in general no package must include it's own list of root CA certificates but rather use the distro provided defaults. If you find some package that includes it's own list please file a bug and let the package maintainer fix it (CC security). Should be an easy task.

Is that valid for Mozilla products and Chromium?

It would be desirable, yes. The system list is Mozilla's anyways. AFAIK Chromium uses NSS too so if NSS was able to read an external source instead of only the compiled in(!) ones both browsers would automatically use the system certs. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Wolfgang Rosenauer

07:13

Hi, Am 27.10.2011 08:43, schrieb Ludwig Nussel:

...

Rajko M. wrote:

...
On Wednesday, October 26, 2011 02:05:37 AM Ludwig Nussel wrote:

...
Anyways, in general no package must include it's own list of root CA certificates but rather use the distro provided defaults. If you find some package that includes it's own list please file a bug and let the package maintainer fix it (CC security). Should be an easy task.

Is that valid for Mozilla products and Chromium?

It would be desirable, yes. The system list is Mozilla's anyways. AFAIK Chromium uses NSS too so if NSS was able to read an external source instead of only the compiled in(!) ones both browsers would automatically use the system certs.

The root cert list which is used by Firefox (NSS) is a separate package since quite some time. Hygiea:~ # rpm -ql mozilla-nss-certs /usr/lib64/libnssckbi.so People who know how to do it can replace that package with another one providing "mozilla-nss-certs". The openSUSE NSS package (and the typical Mozilla apps) are (in theory) fully prepared to work with custom certificate database on system (and also user) level. Currently all mozilla apps are using the same root certificate list but it's also possible that all mozilla apps use the same database for personal certs. That feature is in an experimental stage since 2 or 3 years and never left it because of missing testing/experience. Wolfgang -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Rajko M.

00:16

On Wednesday, October 26, 2011 01:53:27 AM jdd wrote: ...

...

but do you know of computer compromised by this? When I mean practical, I mean real problem, not virtual ones. For example what the fake certificates where used for?

To let man in the middle pretend it is a Google and few other, including Dutch government. Company is DigiNotar and you can check Wikipedia for digest of what happened.

...

... jdd

-- Regards, Rajko -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Carlos E. R.

09:42

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: On Wednesday, 2011-10-26 at 08:53 +0200, jdd wrote:

...

Le 26/10/2011 03:36, Rajko M. a écrit :

...

...
Recently one certification authority (company) was removed from all browsers that are still maintained. Reason for that is that they were tricked to issue few fake certificates. KDE3 list is not updated so users are vulnerable.

but do you know of computer compromised by this? When I mean practical, I mean real problem, not virtual ones. For example what the fake certificates where used for?

No, that's a real danger. They faked certificates from several important companies - I don't remember the details, but you can google it, or in /. I don't remember right now the name of the company, my bad. An European government had to put out of service his entire Internet eGov structure for a while, IIRC. The danger is for any non-upated browser on any OS. I don't know if our KDE3 was updated for this one. - -- Cheers, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk6pJ5gACgkQtTMYHG2NR9W3XwCfQMA0zv3/ySivCut7OBcE2fnT 2ysAn3s3RRNBQ9diIwQF/PCH4d1ito/m =UAmN -----END PGP SIGNATURE-----

jdd

10:29

Le 27/10/2011 11:42, Carlos E. R. a écrit :

...

The danger is for any non-upated browser on any OS.

I don't know if our KDE3 was updated for this one.

better not use konkeror then for going out of the computer jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Larry Finger

14:51

The Testing Core Team discussed the issue of setting the default boot method and how one might switch between SystemV and systemd. Would it be possible to include some language in the release notes that tell what one needs to do? If the default is systemd and it fails for a given machine, it is a real pain to need to use the F5 method every time. I know that adding "init=/sbin/sysvinit" to the boot options line will use SystemV, but something about the "approved" method should be included. Thanks, Larry -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Vincent Untz

20:53

Le jeudi 27 octobre 2011, à 09:51 -0500, Larry Finger a écrit :

...

The Testing Core Team discussed the issue of setting the default boot method and how one might switch between SystemV and systemd. Would it be possible to include some language in the release notes that tell what one needs to do? If the default is systemd and it fails for a given machine, it is a real pain to need to use the F5 method every time. I know that adding "init=/sbin/sysvinit" to the boot options line will use SystemV, but something about the "approved" method should be included.

To get something mentioned in the release notes, please file a bug against the release notes component in openSUSE 12.1. But you'll likely need to have the text first, so someone would need to answer your question (it might be that removing the systemd-sysvinit package is all you need) Cheers, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Larry Finger

28 Oct 28 Oct

14:52

On 10/27/2011 03:53 PM, Vincent Untz wrote:

...

To get something mentioned in the release notes, please file a bug against the release notes component in openSUSE 12.1. But you'll likely need to have the text first, so someone would need to answer your question (it might be that removing the systemd-sysvinit package is all you need)

I did a bit of testing. Trying to switch from systemv to systemd by removing systemd-sysvinit might work, but removing the systemd package to go the other way gets into a lot of dependency warnings. The following commands work, but may not be optimal: To select systemv as default, run the following (as root): rm /sbin/init ln -s /sbin/sysvinit /sbin/init To select systemd as default, run the following: rm /sbin/init ln -s /bin/systemd /sbin/init Should this kind of change be possible through a YaST GUI, or as a pair of scripts? Larry -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Carlos E. R.

25 Oct 25 Oct

09:56

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-10-25 11:27, Pascal Bleser wrote:

...

That boldly advertised great new feature of 12.1 will explode in our face. Well, not your face, you won't have to maintain the code base.

Can't you (plural) come with a phrase that somehow advertises that KDE3 is somehow still available here, without implying that it has the same level of maintenance that KDE4 has? A compromise? It is a fact that there are people still using or wanting to use KDE3. Why not tell them? Sure, not at the same level as KDE4, that's obvious. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk6mh7EACgkQtTMYHG2NR9U2yQCghJ4WOls3XEEIr9ULznLWU4rQ Tb8An3yQ+nVXPcPRNmHcAJZg/7qiwS0r =yUJ1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Per Jessen

13:19

Pascal Bleser wrote:

...

On 2011-10-25 10:57:48 (+0200), jdd wrote:

...
Le 25/10/2011 10:33, Matt Gray a écrit :

...
It is a fine thing that opensuse is flexible thing interested in accommodating the needs of many, but marketing what is demonstrably the past will not help opensuse grow, and will distract potential users from the real innovations contained therein.

I don't agree.

I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)?

Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3 and KDE3 have you done to question his opinion on this ? Thought so, so it's "yes". There are lots and lots of places in the code base that are potentially subject to security issues.

The biggest security risk is usually sat in front of the screen. Regardless, it is difficult to accept that the security flaws in KDE3 should have increased since KDE4 was introduced. -- Per Jessen, Zürich (11.4°C) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Manu Gupta

13:37

Please open up a new thread for kde3. Its deviated too much from the topic / subject On Tue, Oct 25, 2011 at 6:49 PM, Per Jessen wrote:

...

Pascal Bleser wrote:

...
On 2011-10-25 10:57:48 (+0200), jdd wrote:

...
Le 25/10/2011 10:33, Matt Gray a écrit :

...
It is a fine thing that opensuse is flexible thing interested in accommodating the needs of many, but marketing what is demonstrably the past will not help opensuse grow, and will distract potential users from the real innovations contained therein.

I don't agree.

I can perfectly accept the security reasons, but is kde so exposed to security risks (apart may be konkeror)?

Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3 and KDE3 have you done to question his opinion on this ? Thought so, so it's "yes". There are lots and lots of places in the code base that are potentially subject to security issues.

The biggest security risk is usually sat in front of the screen. Regardless, it is difficult to accept that the security flaws in KDE3 should have increased since KDE4 was introduced.

-- Per Jessen, Zürich (11.4°C)

-- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

-- Regards Manu Gupta -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

15:56

Le 25/10/2011 15:37, Manu Gupta a écrit :

...

Please open up a new thread for kde3. Its deviated too much from the topic / subject

manu, the true problem is what shall we include in release notes. Have we to include kde3 or not? and I don't know at all why this discussion ends up on -project jdd -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

jdd

15:54

Le 25/10/2011 15:19, Per Jessen a écrit :

...

The biggest security risk is usually sat in front of the screen. Regardless, it is difficult to accept that the security flaws in KDE3 should have increased since KDE4 was introduced.

thnak you for help :-). However, I try to be fair, and it's possible that big holes be discovered recently, or happen with new hardware. kde3 maintainers that want to continue should at least quote these (if any). I keep thinking that having such group (kde3 maintainer) is a plus for openSUSE, whatever risk it gives. I'm not so sure that the risk of having new software is not present also and we have to live with it. as we have to use metaphors, some use cars, let me use sail boats. I used to sail. I like to read wreck comments, let alone to see what was wrong and what can be done to prevent them. I wouls like to read stories of people having they server highjacked through a security hole or by kde3 security problem. I certainly wont run kde3 on any critical system, but if we should remove all the softaware nobody should run on a critical system, we would not even have internet... jdd NB: I have *lot* of such tales for windows machines :-)) -- http://www.dodin.net http://pizzanetti.fr -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

Marcus Meissner

16:03

On Tue, Oct 25, 2011 at 05:54:27PM +0200, jdd wrote:

...

Le 25/10/2011 15:19, Per Jessen a écrit :

...
The biggest security risk is usually sat in front of the screen. Regardless, it is difficult to accept that the security flaws in KDE3 should have increased since KDE4 was introduced.

thnak you for help :-). However, I try to be fair, and it's possible that big holes be discovered recently, or happen with new hardware.

kde3 maintainers that want to continue should at least quote these (if any).

I keep thinking that having such group (kde3 maintainer) is a plus for openSUSE, whatever risk it gives. I'm not so sure that the risk of having new software is not present also and we have to live with it.

as we have to use metaphors, some use cars, let me use sail boats. I used to sail. I like to read wreck comments, let alone to see what was wrong and what can be done to prevent them.

I wouls like to read stories of people having they server highjacked through a security hole or by kde3 security problem. I certainly wont run kde3 on any critical system, but if we should remove all the softaware nobody should run on a critical system, we would not even have internet...

Are there actually more developers than just Ilya? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org

4570

Age (days ago)

4574

Last active (days ago)

List overview

Download

37 comments

18 participants

participants (18)

Carlos E. R.
jdd
Kai-Uwe Behrmann
Larry Finger
Ludwig Nussel
Manu Gupta
Marcus Meissner
Matt Gray
Pascal Bleser
Per Jessen
Rajko M.
Robert Schweikert
Sebastian Kügler
Sven Burmeister
Vincent Untz
Volker Kuhlmann
Will Stephenson
Wolfgang Rosenauer