Having the KDE screensaver setting as random and the xscreensaver-extras package installed causes inappropriate content to be downloaded and displayed. This is caused by the webcollage screensaver. This (webcollage) screen saver should be packaged separately and have a clear indication of the ramifications of installing the package. I use Fedora at work and at home and have it installed on my childrens machines as well. A program as dangerous as web collage should not be hidden inside a seemingly innocuous package as xscreensaver-extras.
This is not a bug in xscreensaver, it is a bug in KDE-screensaver. To the user: you can solve this problem by using xscreensaver instead of KDE-screensaver. To the developers: xscreensaver already has a mechanism for having certain savers to be disabled by default even in random mode. It's not necessary to *uninstall* them for them to be off by default. When you people decided to re-invent the wheel by writing KDE-screensaver from scratch, rather than doing the rational thing and submitting patches to make improvements to xscreensaver in the areas you thought were lacking, you also chose to re-invent all of the bugs that had already been fixed in xscreensaver for *more than a decade*. So, you know, good luck with that.
I am aware of the politics on this issue and that a bug was previously submitted but never fixed. The point of the matter is that it should not have been possible for me to unknowningly install a program that randomly downloads inappropriate content. Disabled or not, I don't want that kind of code on my system or my childrens system.
Then you should submit a bug report against KDE-screensaver, as that is what you are running, and that is where the bug lies. FWIW, webcollage can also be configured to only load images from a pictures directory on your local disk.
Bug or not, that kind of code should not be part of a mainstream distribution or at the very least be installable completely separately from other packages. There is too much dangerous content on the Internet today to have something like this accidentally running. I am aware webcollage can be configured for a local directory. The problem is that I was unaware this program was even installed on my system until it started displaying pornographic images on my screen at work. I have removed xscreensaver from my system so it will no longer be an issue for me but it disturbs me greatly that this bug was known about since at least FC3 and RedHat chose to ignore it. Being a long time RedHat user and proponent I feel really let down.
Note, we removed webcollage some time ago (FC4?) (except for webcollage-helper which Jamie requested we leave in to make it easier for users to bring back webcollage if they wanted). It may have come back since xscreensaver was moved to extras, I'm not sure.. Anyway, retitling and reassigning.
Well, first I write a bit of story... * At the age xscreensaver was in Core package (<= FC5), webcollage was removed. * From FE-6 and so on I took over the maintainership and moved xscreensaver to Fedora Extras. * At the time Jamie and me discussed and concluded that we should _not_ remove webcollage any longer because: - xscreensaver daemon surely handle webcollage correctly as well as other hacks. - if other screensaver daemon (such as kscreensaver) cannot handle screen hack choice, so the other screensaver daemon should be fixed and this is not due to webcollage (sorry I use xscreensaver and I don't know other screensaver daemon) don't know well other than xscreensaver So: - On the age <=FC5, this issue was not present, perhaps. So (In reply to comment #4) > this bug was known about since at least FC3 > and RedHat chose to ignore it. is wrong. - From >=FC6, this problem may happen, if kscreensaver cannot handle hack choice by user correctly. Then: - Can kscreensaver handle hack choice by user? - From 5.00 webcollage has the option '-directory', which uses the local image file and use no net connection. So even if kscreensaver cannot, fixing kdeartwork-extras should resolve this issue (perhaps??? I am not a KDE user..) Adding Rex to CC list.
My apologies about the comment on RedHat ignoring it. The bug I saw closed without being fixed. Forgetting about the KDE screensaver bug for a minute, this piece of code (webcollage) is just to dangerous to have buried inside the xscreensaver package where the unsuspecting user could run it not knowing what it really does and what kind of trouble they could get into by running it. IMHO, it's basically playing Russian Roulette with web images. Maybe that sounds a bit drastic but there are many images out on the Internet that could get you fired or land you in jail.
(In reply to comment #7) > > Forgetting about the KDE screensaver bug for a minute, this piece of code > (webcollage) is just to dangerous to have buried inside the xscreensaver > package > where the unsuspecting user could run it not knowing what it really does and > what kind of trouble they could get into by running it. Note: - For xscreensaver webcollage is _disabled_ by default. - Even webcollage is enabled by user on using xscreensaver, currently (fedora) webcollage is changed so that webcollage uses no net connection.
One more note: - Even when webcollage is used by gnome-screensaver, I changed webcollage desktop so that webcollage uses no net connection by default (see changes on xscreensaver 5.01-4)
> I changed webcollage desktop so that webcollage uses no net connection by > default (see changes on xscreensaver 5.01-4) How exactly? I assume the implication here is that kde's use of it isn't following/using that "no-network" configuration?
I didn't configure webcollage to use a net connection, either it came this way or the KDE bug caused it to use a net connection.
(In reply to comment #10) > > I changed webcollage desktop so that webcollage uses no net connection by > > default (see changes on xscreensaver 5.01-4) > > How exactly? I assume the implication here is that kde's use of it isn't > following/using that "no-network" configuration? On xscreensaver, webcollage default is: ------------------------------------------- - default-n: webcollage -root \ -directory /usr/share/backgrounds/images/ \n\ ------------------------------------------- On gnome-screensaver, xscreensaver-webcollage.desktop has ------------------------------------------- Exec=webcollage -root -directory /usr/share/backgrounds/images -------------------------------------------
Whether a KDE bug caused this issue or not isn't really my issue. My issue is that it should not have been possible for this to happen, even by accident. Really, it's only a perl script, a user could just run it to see what it does and by the time they find out the damage may have been done. The only acceptable solution in my mind is to remove this piece of code from the packages. If a user really wants to run it let them download and install it outside of the repositories.
Rex, you should probably add the option -directory /usr/share/backgrounds/images/ desktop files, or just get rid of it
Re: comment #14 Agreed.
Sorry for the delay, finally got round-tuit: %changelog * Fri Jul 13 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-2 - webcollagerc: [directory] /usr/share/backgrounds/images/ (#227683) * Mon Jun 11 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-1 - 3.5.7 Dunno about the general feature request wrt kde ignoring xscreensavers' "disabled bit", that's something best taken upstream.
kdeartwork-3.5.7-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.