25 Oct
2011
25 Oct
'11
1:14 a.m.
On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:
I think you could add info on KDE3 being included in
12.1.
Possibly it worth mentioning that this makes asylum for at least a part of
users who dislike Gnome 3.
This is my strong objection to mentioning KDE 3 in our 12.1 marketing and
release notes. SUSE has a long and undistinguished history of letting noisy
tails wag the whole dog, but there is no need for the openSUSE project to
continue this.
Martin Gräßlin approaches the problems facing the Trinity fork of KDE 3 in
this article at freiesmagazin [1] (German), but to apply his analysis to the
KDE:KDE3 packages and our distribution, and for those who don't read German or
trust machine translation, my objection comes down to 2 major things. In case
you aren't aware of my qualifications to make this assessment, I've been part
of the team maintaining KDE at SUSE for the past 6 going on 7 years.
1) Quality and security. Despite the KDE:KDE3 maintainer's high degree of
activity in packaging every KDE 3 app out there and adapting the KDE 3
platform to build on current distributions, it is a mistake to equate this
with sufficient maintenance to ensure adequate code quality to include this in
our distribution. The KDE 3 and Qt 3 codebases are massive, include code in
all the worst places to have a vulnerability, have been essentially
unmaintained for over 2 years now, and *include many known bugs and
vulnerabilities that have only been fixed in the 4 releases*.
Assurances that the project is now maintained upstream by the Trinity project
are hollow; the Trinity group is only a handful of people, none of whom are
the original maintainers or developers of the code, and most of their effort
is spent on writing a Qt4 compatibility layer and in porting the build system
to cmake, not maintenance. In any case, the packages in KDE:KDE3 are based on
3.5.10 and only include some changes from the Trinity project's fork, which is
now 3.5.12.
openSUSE Factory maintainers made an error of judgement to resume including
KDE 3 packages while they demonstrably fulfil the latter 3 of our drop
criteria [2], and marketing should not join them in this.
2) The message sent by a retrograde step. Being unique in a bad way is not
good for the project. Making a thing out of including KDE 3 is saying that we
as a project invest energy in going backwards, and push (sorry) futile efforts
as features. The set of KDE 3 users who have not yet switched to KDE 4 or to
something else is small and we are not going to win more users, more
contributors or recognition for the distro by speaking to these users' needs.
Also it worth mentioning that openSUSE is the first
distribution where KDE3
was returned back.
First and only because major distributions have a vision of where they want to
go and how to invest their energy that isn't "be all things to all people,
regardless". openSUSE should be a meritocracy, where things that have merit
get included, instead of uncritically rewarding any activity.
openSUSE is a distro with greatest choice of desktop
environments out there
which is a major advantage. This became possible due to wonderful OBS.
Yes, the OBS is wonderful, but openSUSE the distribution doesn't have to
include everything OBS builds. The OBS and Studio also make it easy to spin
your own niche distribution based on openSUSE.
Sincerely
Will
[1] http://www.freiesmagazin.de/mobil/freiesMagazin-2011-09-
bilder.html#11_09_trinity
[2] http://en.opensuse.org/openSUSE:Factory_drop_policy
--
Will Stephenson, openSUSE Team
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer,
HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
25 Oct
25 Oct
1:41 a.m.
New subject: [opensuse-project] Re: The release notes/product highlights for 12.1
On 2011-10-25 01:14:31 (+0200), Will Stephenson <wstephenson(a)suse.de> wrote:
On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:
[...]
+1 to everything you wrote (and I was a strong proponent of
keeping KDE3 with KDE4 in.. I don't even remember which version
that was.. :))
But the situation has changed, a lot. KDE3 really is a dead cow.
While the point back then was that almost everyone was on KDE3
and that KDE4 wasn't ready for prime time, and that we would
alienate a lot of users, this is absolutely not the case any
more as of today. Everyone besides a small niche has moved to
KDE4, and KDE4 is definitely ready for the job.
Let's please, pretty please, not take pointless technical
decisions just to have a few more marketing bullet points to
sell. Because that's what it really is.
cheers
--
-o) Pascal Bleser
/\\ http://opensuse.org -- we haz green
_\_v http://fosdem.org -- we haz conf
I think you could add info on KDE3 being included
in 12.1.
Possibly it worth mentioning that this makes asylum for at least a part of
users who dislike Gnome 3.
This is my strong objection to mentioning KDE 3 in our 12.1 marketing and
release notes. SUSE has a long and undistinguished history of letting noisy
tails wag the whole dog, but there is no need for the openSUSE project to
continue this. 
5:15 p.m.
New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1
Am 24.10.2011 16:41, schrieb Pascal Bleser:
On 2011-10-25 01:14:31 (+0200), Will Stephenson
<wstephenson(a)suse.de> wrote:
The wording of Ilya to call his project KDE3 is unfortunate.
But you, and others, take to context and put the word "dead"
close to Trinity, which is of course based on KDE3. Still you are
not talking about KDE3. You talk about Trinity and the Trinities
teams work in this thread.
We all know how much of love goes in most peoples projects.
It is in most cases a very personal thing. I am shocked seeing
you beating a smaller project on this emotional level. Such vocal
killings are IMO non sensible, especially so close inside the
openSUSE community.
On Monday 24 Oct 2011 22:35:37 Ilya Chernykh
wrote:
[...]
+1 to everything you wrote (and I was a strong proponent of
keeping KDE3 with KDE4 in.. I don't even remember which version
that was.. :))
But the situation has changed, a lot. KDE3 really is a dead cow. I think you could add info on KDE3 being included
in 12.1.
Possibly it worth mentioning that this makes asylum for at least a part of
users who dislike Gnome 3.
This is my strong objection to mentioning KDE 3 in our
12.1 marketing and
release notes. SUSE has a long and undistinguished history of letting noisy
tails wag the whole dog, but there is no need for the openSUSE project to
continue this. Otherwise the openSUSE
community as being welcoming looses value.While the point back then was that almost
everyone was on KDE3
and that KDE4 wasn't ready for prime time, and that we would
alienate a lot of users, this is absolutely not the case any
more as of today. Everyone besides a small niche has moved to
KDE4, and KDE4 is definitely ready for the job.
I am pretty sure you have useful arguments about, why you
do not want to support a KDE3 fork. That's easily understandable as
argument. No need to spread bad feeling around.
kind regards
Kai-Uwe
PS: sorry, if my post distracts from the original topic. But a direct
answer seems most appropriate.
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
7:14 p.m.
New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1
Am Dienstag, 25. Oktober 2011, 08:15:12 schrieb Kai-Uwe Behrmann:
We all know how much of love goes in most peoples
projects.
It is in most cases a very personal thing. I am shocked seeing
you beating a smaller project on this emotional level. Such vocal
killings are IMO non sensible, especially so close inside the
openSUSE community.
What's so shocking about stating facts? Ignoring facts is shocking and Will
gave you facts about the security and maintenance issues.
Sven
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
26 Oct
26 Oct
7:58 p.m.
New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1
Am 25.10.2011 19:14, schrieb Sven Burmeister:
Am Dienstag, 25. Oktober 2011, 08:15:12 schrieb
Kai-Uwe Behrmann:
I am not shocked about any facts brought up in this discussion. I am
shocked about the emotional stressful and disrespectful tone of some
posters. That lessens seriously my joy while reading facts.
kind regards
Kai-Uwe
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
We all know how much of love goes in most peoples
projects.
It is in most cases a very personal thing. I am shocked seeing
you beating a smaller project on this emotional level. Such vocal
killings are IMO non sensible, especially so close inside the
openSUSE community.
What's so shocking about stating facts? Ignoring facts is
shocking and Will
gave you facts about the security and maintenance issues. 
25 Oct
25 Oct
8:03 p.m.
New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1
Kai-Uwe Behrmann wrote:
Am 24.10.2011 16:41, schrieb Pascal Bleser:
Well said. It's not very encouraging for any wanna-be packager or
developer out there.
--
Per Jessen, Zürich (9.1°C)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
But the situation has changed, a lot. KDE3 really is a dead cow.
The wording of Ilya to call his project KDE3 is unfortunate.
But you, and others, take to context and put the word "dead"
close to Trinity, which is of course based on KDE3. Still you are
not talking about KDE3. You talk about Trinity and the Trinities
teams work in this thread.
We all know how much of love goes in most peoples projects.
It is in most cases a very personal thing. I am shocked seeing
you beating a smaller project on this emotional level. Such vocal
killings are IMO non sensible, especially so close inside the
openSUSE community. 
26 Oct
26 Oct
11:45 a.m.
New subject: [opensuse-project] Re: [opensuse-factory] Re: The release notes/product highlights for 12.1
On Tue 25 Oct 2011 12:41:26 NZDT +1300, Pascal Bleser wrote:
But the situation has changed, a lot. KDE3 really is a
dead cow.
As is KDE4 if it's not really careful really soon.
While the point back then was that almost everyone was
on KDE3
and that KDE4 wasn't ready for prime time, and that we would
alienate a lot of users, this is absolutely not the case any
more as of today. Everyone besides a small niche has moved to
KDE4, and KDE4 is definitely ready for the job.
It's ready for some jobs, if you're prepared to put up with a lot of
nonsense. I was using KDE3 on 11.1 and was looking forward to 11.4 a few
months ago. konqueror3 was getting very long in the tooth and failing
with lockups on many sites, or failing outright on javascript, but in
comparison konqueror4 is just rubbish - it doesn't even handle the
pfsense (firewall) UI just to mention one of the many javascript site
that actually work in 3 and are dead in 4. I was trying hard to avoid
the mozbloat, but bloat beats dead duck.
Quite a few apps are nowhere to be seen in KDE4, like quanta. KDE4 has
quite some way to go to reach where KDE3 used to be. It's way to buggy.
https://bugs.kde.org/show_bug.cgi?id=258916 must about take the prize
for duplicates - KDE parts crashing more than once a day and no idea
where to start looking for the bug after 9 months. The only KDE bug
report I had an instant response to was about the desktop 3D-flipcrap
gizmos. I hope that's not indicative for where the development effort is
concentrated. Gtk apps are getting steadily better, soon there'll be no
point in having KDE at all. With KDE4 not having caught up yet there's
talk about qt5. Is that going to be a repeat of years of unfinished
deadlined 4 with gutless useless 5?
Sure there are a few good things in KDE 4 but sorry the bottom line is a
disappointment. I appreciate the apps from 3 that are still around and
working.
Volker
--
Volker Kuhlmann
http://volker.dnsalias.net/ Please do not CC list postings to me.
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
25 Oct
25 Oct
10:33 a.m.
On 10/25/11 00:14, Will Stephenson wrote:
On Monday 24 Oct 2011 22:35:37 Ilya Chernykh wrote:
For what it is worth I am agreed with Will.
It is a fine thing that opensuse is flexible thing interested in
accommodating the needs of many, but marketing what is demonstrably the
past will not help opensuse grow, and will distract potential users from
the real innovations contained therein.
Regards
M
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
I think you could add info on KDE3 being included
in 12.1.
Possibly it worth mentioning that this makes asylum for at least a part of
users who dislike Gnome 3.
2) The message sent by a retrograde step. Being unique in a bad way is not
good for the project. Making a thing out of including KDE 3 is saying that we
as a project invest energy in going backwards, and push (sorry) futile efforts
as features. The set of KDE 3 users who have not yet switched to KDE 4 or to
something else is small and we are not going to win more users, more
contributors or recognition for the distro by speaking to these users' needs.
10:57 a.m.
Le 25/10/2011 10:33, Matt Gray a écrit :
It is a fine thing that opensuse is flexible thing
interested in
accommodating the needs of many, but marketing what is demonstrably the
past will not help opensuse grow, and will distract potential users from
the real innovations contained therein.
I don't agree.
I can perfectly accept the security reasons, but is kde so exposed to
security risks (apart may be konkeror)?
But the fact that openSUSE follow the user for a long time is very good.
New user may be glad to understand that openSUSE wont let him down at
the next unnecessary change, if ever once kde developpers (or any
other) want to change to what ever they imagine is better, like they
did for kde3->kde4.
What do think koffice users?
This don't mean we have to follow everything, but is some users are
voluteer enough to make a follow up, we have to thank them and
advertise the result. If not, why advertise evergreen? or Tumbleweed
(how many maintainer have them??)
Of course, we have to word this accordingly. having kde3 is not the
last brand new info, but having a "we wont let you alone" chapter is good.
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
11:27 a.m.
On 2011-10-25 10:57:48 (+0200), jdd <jdd(a)dodin.org> wrote:
Le 25/10/2011 10:33, Matt Gray a écrit :
Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3
and KDE3 have you done to question his opinion on this ?
Thought so, so it's "yes".
There are lots and lots of places in the code base that are
potentially subject to security issues.
If you're not a software developer, then please take the word of
a software developer for it.
Please show some respect for the opinion of the people who have
a clue here. And it doesn't get more experienced in this topic
than with Will.
It is a fine thing that opensuse is flexible thing
interested in
accommodating the needs of many, but marketing what is demonstrably the
past will not help opensuse grow, and will distract potential users from
the real innovations contained therein.
I don't agree.
I can perfectly accept the security reasons, but is kde so exposed
to security risks (apart may be konkeror)? But the fact that openSUSE follow the user for a long
time is
very good.
Depends, it also has a high cost in maintenance. We can't have
both new features and dragging along barely maintained stuff for
ages. It might make sense in very specific situations (such as
when KDE4 wasn't really ready for broad usage), but not in this
case.
New user may be glad to understand that openSUSE wont
let him down
at the next unnecessary change, if ever once kde developpers (or any
other) want to change to what ever they imagine is better, like they
did for kde3->kde4.
If they care about that, we already "let them down" because of
the rather short lifetime.
And if upstream (the KDE developers, in this case) changes the
software, we cannot do anything about it, that's just how it
works.
Actually, as Will said, even shipping KDE3 with the distribution
is wrong in the first place, as we have no idea how long the few
people who currently maintain KDE3 will be able to keep up their
work. And it puts a heavy burden on the security and KDE teams
at openSUSE, because they will be the ones who will have to fix
the security issues when they arise, if it isn't done by the
current KDE3 maintainers upstream.
And we all only have so much time in a day: what needs to be
done there will take time to do other (undoubtedly more useful)
stuff elsewhere.
This don't mean we have to follow everything, but
is some users are
voluteer enough to make a follow up, we have to thank them and
advertise the result. If not, why advertise evergreen? or Tumbleweed
(how many maintainer have them??)
Of course, we have to word this accordingly. having kde3 is not the
last brand new info, but having a "we wont let you alone" chapter is
good.
But still, it's just wrong to advertise that as a new feature of
12.1 and to emphasize it.
If the handful of people who currently maintain KDE3 give up,
which is very likely to happen because:
1) almost no one uses KDE3 any more, so the effort is rather
futile,
2) they're just a handful of people and it's doubtful they know
their way around the code base that well
... then what?
That boldly advertised great new feature of 12.1 will explode in
our face. Well, not your face, you won't have to maintain the
code base.
Really, having it in the distro is wrong in the first place, and
advertising it boldly as an important new feature of 12.1 will
only make matters worse.
cheers
--
-o) Pascal Bleser
/\\ http://opensuse.org -- we haz green
_\_v http://fosdem.org -- we haz conf
11:38 a.m.
Le 25/10/2011 11:27, Pascal Bleser a écrit :
and why should I have? All the ports of my computer are closed and I
don't use kde for browsing, my firewall is up.
where can I have problems?
I see in the wild many package that are not maintained, think of
wodim, for example.
I agree that kde if a big one :-). But still, what harm can do it's
use? better do you have any example of big problems really seen?
I can
perfectly accept the security reasons, but is kde so exposed
to security risks (apart may be konkeror)?
Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3
and KDE3 have you done to question his opinion on this ? But still, it's just wrong to advertise that as a
new feature of
12.1 and to emphasize it.
of course it's not a "new" feature
If the handful of people who currently maintain KDE3 give up,
which is very likely to happen because:
1) almost no one uses KDE3 any more, so the effort is rather
futile,
is there a real way to know that? (obs statistics?)
2) they're just a handful of people and it's
doubtful they know
looks like that people are only packaging. so yes, soon or late we
will have to let this out, like we will have to let out 11.1
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
11:41 a.m.
Le mardi 25 octobre 2011, à 11:38 +0200, jdd a écrit :
Le 25/10/2011 11:27, Pascal Bleser a écrit :
and why should I have? All the ports of my computer are closed and I
don't use kde for browsing, my firewall is up.
where can I have problems?
Vulnerabilities do not always come from ports that are open. It can be a
PDF file that is mis-interpreted, for instance...
Vincent
--
Les gens heureux ne sont pas pressés.
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
I can
perfectly accept the security reasons, but is kde so exposed
to security risks (apart may be konkeror)?
Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3
and KDE3 have you done to question his opinion on this ?
11:58 a.m.
Le 25/10/2011 11:41, Vincent Untz a écrit :
Vulnerabilities do not always come from ports that are
open. It can be a
PDF file that is mis-interpreted, for instance...
well... and then?
I don't want to be too long, nor hijack a thread. but have real threat
be signaled against kde3 (links, please)?
I mean, it's the same as using any distro: there are major bugs that
have to be fixed for security (ssh bug, firefox ones...), and usual
bugs that may give data loss but we can live with.
for me security is the risk of opening my computer to bad people.
is there a known list of major such security break in kde3? (it's a
real question, I hope you can say yes and give me the link)
I say so, because I every day experiment situations where security is
more an obsessive compulsion than a real threat.
This is not a bad thing when dealing with new products, but don't have
to go too far. I "manage" a server driven by a debian 3.0 not updated
since ages and never compromised - I simply can't update it (hardware
too old) and work on openSUSE when I should take time building a
replacement server. It runs since year 2000 and I wonder why it's
still up and running :-).
I don't advertise anybody to do the same, only that the risk may not
be always as big as one think
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
12:03 p.m.
Le mardi 25 octobre 2011, à 11:58 +0200, jdd a écrit :
Le 25/10/2011 11:41, Vincent Untz a écrit :
I was just answering to your mail where you implied there was no risk
for you since you had no open ports. I have no idea about KDE 3 security
in general...
Vincent
--
Les gens heureux ne sont pas pressés.
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
Vulnerabilities do not always come from ports that
are open. It can be a
PDF file that is mis-interpreted, for instance...
well... and then?
I don't want to be too long, nor hijack a thread. but have real
threat be signaled against kde3 (links, please)? 
1:17 p.m.
On 10/25/2011 05:58 AM, jdd wrote:
Le 25/10/2011 11:41, Vincent Untz a écrit :
Will already answered this question about 20 minutes prior to your post:
"http://www.kde.org/info/security/ is a start. Nobody cares to
systematically
correlate bugs found and fixed in KDE 4 with KDE 3 any more though. Some
maintainers have mass-closed their KDE 3 bugs. The Trinity bugtracker is
mainly concerned with integration issues with recent Kubuntu releaeses. I
occasionally get a CVE vs KDE 3 code which I fix, but there must be a
lot of
stuff getting by, simply due to the high degree of commonality of
non-Plasma
KDE3 and KDE4 code.
"
Later,
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
SUSE-IBM Software Integration Center LINUX
Tech Lead
rjschwei(a)suse.com
rschweik(a)ca.ibm.com
781-464-8147
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
Vulnerabilities do not always come from ports
that are open. It can be a
PDF file that is mis-interpreted, for instance...
well... and then?
I don't want to be too long, nor hijack a thread. but have real threat
be signaled against kde3 (links, please)?
I mean, it's the same as using any distro: there are major bugs that
have to be fixed for security (ssh bug, firefox ones...), and usual bugs
that may give data loss but we can live with.
for me security is the risk of opening my computer to bad people.
is there a known list of major such security break in kde3? (it's a real
question, I hope you can say yes and give me the link)
1:33 p.m.
Le 25/10/2011 13:17, Robert Schweikert a écrit :
Will already answered this question about 20 minutes
prior to your post:
seems like some posts go to project and some others to factory
correlate bugs found and fixed in KDE 4 with KDE 3 any
more though. Some
do you mean kde3 and kde4 suffers same bugs? I got the image than kde3
and kde4 where completely different coding
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
1:38 p.m.
On 10/25/2011 07:33 AM, jdd wrote:
No it means that no one is tracking the existing security
vulnerabilities in KDE3 anymore because the majority of KDE developers
have moved on to the current version.
Le 25/10/2011 13:17, Robert Schweikert a écrit :
Yes, the problem with people cross-posting, annoying.
Will already answered this question about 20
minutes prior to your post:
seems like some posts go to project and some others to factory correlate bugs found and fixed in KDE 4 with KDE
3 any more though. Some
do you mean kde3 and kde4 suffers same bugs? I got the image than kde3
and kde4 where completely different coding
jdd
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
SUSE-IBM Software Integration Center LINUX
Tech Lead
rjschwei(a)suse.com
rschweik(a)ca.ibm.com
781-464-8147
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
1:45 p.m.
Le 25/10/2011 13:38, Robert Schweikert a écrit :
yes, this is obvious (for me, at least), but kde3 was pretty stable
and old code, so on 5 years old computer like the one is use right
now, it should be good.
I of course do not think using kde3 is the next glorious thing to do ,
but I see this pretty near to evergreen that was pretty well received
and if I didn't miss something need also a new maintainer.
but your last proposal (other mail), of letting such thing in a
special section is good (see factory list for people only within
project, I don't know when, but some posts are cross posted, but not all)
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
do you mean
kde3 and kde4 suffers same bugs?
No it means that no one is tracking the existing security
vulnerabilities in KDE3 anymore because the majority of KDE developers
have moved on to the current version. 
5:11 p.m.
On Tuesday, October 25, 2011 11:58:29 jdd wrote:
is there a known list of major such security break in
kde3?
You can answer that one yourself, a good start are security fixes which never
made it into Qt3. To give you a headstart, I would not use SSL for anything
from Qt3 since the certificates it shipped have never been updated -- and
that's just a very recent one one can find without digging. There are so many
security-critical components in there, it's not even funny. I'd strongly
advise against using KDE3 nowadays, and would certainly not advertise it.
So yes, there are _real_ security problems when using KDE 3. It's basically
one big brown paperbag filled brown paper bags.
--
sebas
http://www.kde.org | http://vizZzion.org | GPG Key ID: 9119 0EF9
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
6:31 p.m.
Le 25/10/2011 17:11, Sebastian Kügler a écrit :
On Tuesday, October 25, 2011 11:58:29 jdd wrote:
if I ask, it's because I can't
a good start are security fixes which never
is there a known list of major such security
break in kde3?
You can answer that one yourself, made it into Qt3. To give you a headstart, I would not
use SSL for anything
from Qt3 since the certificates it shipped have never been updated
never since qt3 was released or since kde3 was dropped?
-- and
that's just a very recent one one can find without
digging. There are so many
security-critical components in there, it's not even funny. I'd strongly
advise against using KDE3 nowadays, and would certainly not advertise it.
So yes, there are _real_ security problems when using KDE 3. It's basically
one big brown paperbag filled brown paper bags.
do you have practical example of problems? If we should have problems
each time a certificate is obsolete, internet would be down for long
(may be it is :-) - this erros I have twice a day when surfing
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
26 Oct
26 Oct
3:36 a.m.
On Tuesday, October 25, 2011 11:31:08 AM jdd wrote:
do you have practical example of problems?
Recently one certification authority (company) was removed from all browsers
that are still maintained. Reason for that is that they were tricked to issue
few fake certificates. KDE3 list is not updated so users are vulnerable.
--
Regards,
Rajko
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
8:53 a.m.
Le 26/10/2011 03:36, Rajko M. a écrit :
On Tuesday, October 25, 2011 11:31:08 AM jdd wrote:
but do you know of computer compromised by this? When I mean
practical, I mean real problem, not virtual ones. For example what the
fake certificates where used for?
I doubt every server is updated (in fact I know many are not). But I
would like to know if some (many?) linux (all distros) servers are
compromised.
Given Linux is claimed to be very secure, I'm pretty sure that news
papers would like to bash us if they could.
again it's not to say we don't have to update, only to try eveluating
the risk
thanks
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
do you have practical example of problems?
Recently one certification authority (company) was removed from all browsers
that are still maintained. Reason for that is that they were tricked to issue
few fake certificates. KDE3 list is not updated so users are vulnerable.
9:05 a.m.
jdd wrote:
Le 26/10/2011 03:36, Rajko M. a écrit :
Well, you have to ask some affected Iranian. This list likely has
the wrong audience.
Anyways, in general no package must include it's own list of root CA
certificates but rather use the distro provided defaults. If you
find some package that includes it's own list please file a bug and
let the package maintainer fix it (CC security). Should be an easy
task.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
On Tuesday, October 25, 2011 11:31:08 AM jdd
wrote:
but do you know of computer compromised by this? When I mean
practical, I mean real problem, not virtual ones. For example what the
fake certificates where used for? do you have practical example of problems?
Recently one certification authority (company) was removed from all browsers
that are still maintained. Reason for that is that they were tricked to issue
few fake certificates. KDE3 list is not updated so users are vulnerable.
27 Oct
27 Oct
2:18 a.m.
On Wednesday, October 26, 2011 02:05:37 AM Ludwig Nussel wrote:
Anyways, in general no package must include it's
own list of root CA
certificates but rather use the distro provided defaults. If you
find some package that includes it's own list please file a bug and
let the package maintainer fix it (CC security). Should be an easy
task.
Is that valid for Mozilla products and Chromium?
--
Regards,
Rajko
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
8:43 a.m.
Rajko M. wrote:
On Wednesday, October 26, 2011 02:05:37 AM Ludwig
Nussel wrote:
It would be desirable, yes. The system list is Mozilla's anyways.
AFAIK Chromium uses NSS too so if NSS was able to read an external
source instead of only the compiled in(!) ones both browsers would
automatically use the system certs.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG
Nürnberg)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
Anyways, in general no package must include
it's own list of root CA
certificates but rather use the distro provided defaults. If you
find some package that includes it's own list please file a bug and
let the package maintainer fix it (CC security). Should be an easy
task.
Is that valid for Mozilla products and Chromium? 
9:13 a.m.
Hi,
Am 27.10.2011 08:43, schrieb Ludwig Nussel:
Rajko M. wrote:
The root cert list which is used by Firefox (NSS) is a separate package
since quite some time.
Hygiea:~ # rpm -ql mozilla-nss-certs
/usr/lib64/libnssckbi.so
People who know how to do it can replace that package with another one
providing "mozilla-nss-certs".
The openSUSE NSS package (and the typical Mozilla apps) are (in theory)
fully prepared to work with custom certificate database on system (and
also user) level.
Currently all mozilla apps are using the same root certificate list but
it's also possible that all mozilla apps use the same database for
personal certs.
That feature is in an experimental stage since 2 or 3 years and never
left it because of missing testing/experience.
Wolfgang
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
On Wednesday, October 26, 2011 02:05:37 AM Ludwig
Nussel wrote:
It would be desirable, yes. The system list is Mozilla's anyways.
AFAIK Chromium uses NSS too so if NSS was able to read an external
source instead of only the compiled in(!) ones both browsers would
automatically use the system certs. Anyways, in general no package must include
it's own list of root CA
certificates but rather use the distro provided defaults. If you
find some package that includes it's own list please file a bug and
let the package maintainer fix it (CC security). Should be an easy
task.
Is that valid for Mozilla products and Chromium?
2:16 a.m.
On Wednesday, October 26, 2011 01:53:27 AM jdd wrote:
...
but do you know of computer compromised by this? When
I mean
practical, I mean real problem, not virtual ones. For example what the
fake certificates where used for?
To let man in the middle pretend it is a Google and few other, including Dutch
government. Company is DigiNotar and you can check Wikipedia for digest of
what happened.
...
jdd
--
Regards,
Rajko
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
11:42 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID: <alpine.LNX.2.00.1110271127150.5264(a)Telcontar.valinor>
On Wednesday, 2011-10-26 at 08:53 +0200, jdd wrote:
No, that's a real danger. They faked certificates from several important
companies - I don't remember the details, but you can google it, or in /.
I don't remember right now the name of the company, my bad. An European
government had to put out of service his entire Internet eGov structure
for a while, IIRC.
The danger is for any non-upated browser on any OS.
I don't know if our KDE3 was updated for this one.
- --
Cheers,
Carlos E. R.
(from 11.4 x86_64 "Celadon" at Telcontar)
Le 26/10/2011 03:36, Rajko M. a écrit :
Recently one
certification authority (company) was removed from all
browsers that are still maintained. Reason for that is that they were
tricked to issue few fake certificates. KDE3 list is not updated so
users are vulnerable.
but do you know of computer compromised by this? When I mean practical, I
mean real problem, not virtual ones. For example what the fake certificates
where used for? -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEARECAAYFAk6pJ5gACgkQtTMYHG2NR9W3XwCfQMA0zv3/ySivCut7OBcE2fnT
2ysAn3s3RRNBQ9diIwQF/PCH4d1ito/m
=UAmN
-----END PGP SIGNATURE-----
12:29 p.m.
Le 27/10/2011 11:42, Carlos E. R. a écrit :
The danger is for any non-upated browser on any OS.
I don't know if our KDE3 was updated for this one.
better not use konkeror then for going out of the computer
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
4:51 p.m.
The Testing Core Team discussed the issue of setting the default boot method and
how one might switch between SystemV and systemd. Would it be possible to
include some language in the release notes that tell what one needs to do? If
the default is systemd and it fails for a given machine, it is a real pain to
need to use the F5 method every time. I know that adding "init=/sbin/sysvinit"
to the boot options line will use SystemV, but something about the "approved"
method should be included.
Thanks,
Larry
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
10:53 p.m.
Le jeudi 27 octobre 2011, à 09:51 -0500, Larry Finger a écrit :
The Testing Core Team discussed the issue of setting
the default
boot method and how one might switch between SystemV and systemd.
Would it be possible to include some language in the release notes
that tell what one needs to do? If the default is systemd and it
fails for a given machine, it is a real pain to need to use the F5
method every time. I know that adding "init=/sbin/sysvinit" to the
boot options line will use SystemV, but something about the
"approved" method should be included.
To get something mentioned in the release notes, please file a bug
against the release notes component in openSUSE 12.1. But you'll likely
need to have the text first, so someone would need to answer your
question (it might be that removing the systemd-sysvinit package is all
you need)
Cheers,
Vincent
--
Les gens heureux ne sont pas pressés.
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
28 Oct
28 Oct
4:52 p.m.
On 10/27/2011 03:53 PM, Vincent Untz wrote:
To get something mentioned in the release notes, please file a bug
against the release notes component in openSUSE 12.1. But you'll likely
need to have the text first, so someone would need to answer your
question (it might be that removing the systemd-sysvinit package is all
you need)
I did a bit of testing. Trying to switch from systemv to systemd by removing
systemd-sysvinit might work, but removing the systemd package to go the other
way gets into a lot of dependency warnings.
The following commands work, but may not be optimal:
To select systemv as default, run the following (as root):
rm /sbin/init
ln -s /sbin/sysvinit /sbin/init
To select systemd as default, run the following:
rm /sbin/init
ln -s /bin/systemd /sbin/init
Should this kind of change be possible through a YaST GUI, or as a pair of scripts?
Larry
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
25 Oct
25 Oct
11:56 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2011-10-25 11:27, Pascal Bleser wrote:
That boldly advertised great new feature of 12.1 will
explode in
our face. Well, not your face, you won't have to maintain the
code base.
Can't you (plural) come with a phrase that somehow advertises that KDE3 is
somehow still available here, without implying that it has the same level
of maintenance that KDE4 has? A compromise?
It is a fact that there are people still using or wanting to use KDE3. Why
not tell them? Sure, not at the same level as KDE4, that's obvious.
- --
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 "Celadon" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk6mh7EACgkQtTMYHG2NR9U2yQCghJ4WOls3XEEIr9ULznLWU4rQ
Tb8An3yQ+nVXPcPRNmHcAJZg/7qiwS0r
=yUJ1
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
3:19 p.m.
Pascal Bleser wrote:
On 2011-10-25 10:57:48 (+0200), jdd
<jdd(a)dodin.org> wrote:
The biggest security risk is usually sat in front of the screen.
Regardless, it is difficult to accept that the security flaws in KDE3
should have increased since KDE4 was introduced.
--
Per Jessen, Zürich (11.4°C)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
Le 25/10/2011 10:33, Matt Gray a écrit :
Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3
and KDE3 have you done to question his opinion on this ?
Thought so, so it's "yes".
There are lots and lots of places in the code base that are
potentially subject to security issues. It is a fine thing that opensuse is flexible thing
interested in
accommodating the needs of many, but marketing what is demonstrably
the past will not help opensuse grow, and will distract potential
users from the real innovations contained therein.
I don't agree.
I can perfectly accept the security reasons, but is kde so exposed
to security risks (apart may be konkeror)? 
3:37 p.m.
Please open up a new thread for kde3. Its deviated too much from the
topic / subject
On Tue, Oct 25, 2011 at 6:49 PM, Per Jessen <per(a)opensuse.org> wrote:
Pascal Bleser wrote:
--
Regards
Manu Gupta
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
On 2011-10-25 10:57:48 (+0200), jdd
<jdd(a)dodin.org> wrote:
The biggest security risk is usually sat in front of the screen.
Regardless, it is difficult to accept that the security flaws in KDE3
should have increased since KDE4 was introduced.
--
Per Jessen, Zürich (11.4°C)
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
Le 25/10/2011 10:33, Matt Gray a écrit :
Yes. Cmon, if Will says so, it's yes. How much C++ coding in Qt3
and KDE3 have you done to question his opinion on this ?
Thought so, so it's "yes".
There are lots and lots of places in the code base that are
potentially subject to security issues. It is a fine thing that opensuse is flexible thing
interested in
accommodating the needs of many, but marketing what is demonstrably
the past will not help opensuse grow, and will distract potential
users from the real innovations contained therein.
I don't agree.
I can perfectly accept the security reasons, but is kde so exposed
to security risks (apart may be konkeror)?
5:56 p.m.
Le 25/10/2011 15:37, Manu Gupta a écrit :
Please open up a new thread for kde3. Its deviated too
much from the
topic / subject
manu, the true problem is what shall we include in release notes. Have
we to include kde3 or not?
and I don't know at all why this discussion ends up on -project
jdd
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
5:54 p.m.
Le 25/10/2011 15:19, Per Jessen a écrit :
The biggest security risk is usually sat in front of
the screen.
Regardless, it is difficult to accept that the security flaws in KDE3
should have increased since KDE4 was introduced.
thnak you for help :-). However, I try to be fair, and it's possible
that big holes be discovered recently, or happen with new hardware.
kde3 maintainers that want to continue should at least quote these (if
any).
I keep thinking that having such group (kde3 maintainer) is a plus for
openSUSE, whatever risk it gives. I'm not so sure that the risk of
having new software is not present also and we have to live with it.
as we have to use metaphors, some use cars, let me use sail boats. I
used to sail. I like to read wreck comments, let alone to see what was
wrong and what can be done to prevent them.
I wouls like to read stories of people having they server highjacked
through a security hole or by kde3 security problem. I certainly wont
run kde3 on any critical system, but if we should remove all the
softaware nobody should run on a critical system, we would not even
have internet...
jdd
NB: I have *lot* of such tales for windows machines :-))
--
http://www.dodin.net
http://pizzanetti.fr
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
6:03 p.m.
On Tue, Oct 25, 2011 at 05:54:27PM +0200, jdd wrote:
Le 25/10/2011 15:19, Per Jessen a écrit :
Are there actually more developers than just Ilya?
Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org
The biggest security risk is usually sat in front
of the screen.
Regardless, it is difficult to accept that the security flaws in KDE3
should have increased since KDE4 was introduced.
thnak you for help :-). However, I try to be fair, and it's possible
that big holes be discovered recently, or happen with new hardware.
kde3 maintainers that want to continue should at least quote these (if
any).
I keep thinking that having such group (kde3 maintainer) is a plus for
openSUSE, whatever risk it gives. I'm not so sure that the risk of
having new software is not present also and we have to live with it.
as we have to use metaphors, some use cars, let me use sail boats. I
used to sail. I like to read wreck comments, let alone to see what was
wrong and what can be done to prevent them.
I wouls like to read stories of people having they server highjacked
through a security hole or by kde3 security problem. I certainly wont
run kde3 on any critical system, but if we should remove all the
softaware nobody should run on a critical system, we would not even
have internet...
3370
days inactive
3374
days old
37 comments
18 participants
participants (18)
-
Carlos E. R. -
jdd -
Kai-Uwe Behrmann -
Larry Finger -
Ludwig Nussel -
Manu Gupta -
Marcus Meissner -
Matt Gray -
Pascal Bleser -
Per Jessen -
Rajko M. -
Robert Schweikert -
Sebastian Kügler -
Sven Burmeister -
Vincent Untz -
Volker Kuhlmann -
Will Stephenson -
Wolfgang Rosenauer