Red Hat Bugzilla – Bug 227683
KDE ignores the "disabled bit" in xscreensaver's application defaults file for disabled screensavers.
Last modified: 2007-11-30 17:11:56 EST
Having the KDE screensaver setting as random and the xscreensaver-extras package
installed causes inappropriate content to be downloaded and displayed. This is
caused by the webcollage screensaver.
This (webcollage) screen saver should be packaged separately and have a clear
indication of the ramifications of installing the package.
I use Fedora at work and at home and have it installed on my childrens machines
as well. A program as dangerous as web collage should not be hidden inside a
seemingly innocuous package as xscreensaver-extras.
This is not a bug in xscreensaver, it is a bug in KDE-screensaver.
To the user: you can solve this problem by using xscreensaver instead of KDE-screensaver.
To the developers:
xscreensaver already has a mechanism for having certain savers to be disabled by default even in
random mode. It's not necessary to *uninstall* them for them to be off by default. When you people
decided to re-invent the wheel by writing KDE-screensaver from scratch, rather than doing the rational
thing and submitting patches to make improvements to xscreensaver in the areas you thought were
lacking, you also chose to re-invent all of the bugs that had already been fixed in xscreensaver for
*more than a decade*.
So, you know, good luck with that.
I am aware of the politics on this issue and that a bug was previously submitted
but never fixed.
The point of the matter is that it should not have been possible for me to
unknowningly install a program that randomly downloads inappropriate content.
Disabled or not, I don't want that kind of code on my system or my childrens system.
Then you should submit a bug report against KDE-screensaver, as that is what you are running, and that
is where the bug lies.
FWIW, webcollage can also be configured to only load images from a pictures directory on your local disk.
Bug or not, that kind of code should not be part of a mainstream distribution or
at the very least be installable completely separately from other packages.
There is too much dangerous content on the Internet today to have something like
this accidentally running.
I am aware webcollage can be configured for a local directory. The problem is
that I was unaware this program was even installed on my system until it started
displaying pornographic images on my screen at work.
I have removed xscreensaver from my system so it will no longer be an issue for
me but it disturbs me greatly that this bug was known about since at least FC3
and RedHat chose to ignore it. Being a long time RedHat user and proponent I
feel really let down.
Note, we removed webcollage some time ago (FC4?) (except for webcollage-helper
which Jamie requested we leave in to make it easier for users to bring back
webcollage if they wanted). It may have come back since xscreensaver was moved
to extras, I'm not sure..
Anyway, retitling and reassigning.
Well, first I write a bit of story...
* At the age xscreensaver was in Core package (<= FC5), webcollage
* From FE-6 and so on I took over the maintainership and moved
xscreensaver to Fedora Extras.
* At the time Jamie and me discussed and concluded that we should
_not_ remove webcollage any longer because:
- xscreensaver daemon surely handle webcollage correctly as well
as other hacks.
- if other screensaver daemon (such as kscreensaver) cannot
handle screen hack choice, so the other screensaver daemon
should be fixed and this is not due to webcollage (sorry I
use xscreensaver and I don't know other screensaver daemon)
don't know well other than xscreensaver
- On the age <=FC5, this issue was not present, perhaps. So
(In reply to comment #4)
> this bug was known about since at least FC3
> and RedHat chose to ignore it.
- From >=FC6, this problem may happen, if kscreensaver cannot handle
hack choice by user correctly.
- Can kscreensaver handle hack choice by user?
- From 5.00 webcollage has the option '-directory',
which uses the local image file and use no net connection. So
even if kscreensaver cannot, fixing kdeartwork-extras should
resolve this issue (perhaps??? I am not a KDE user..)
Adding Rex to CC list.
My apologies about the comment on RedHat ignoring it. The bug I saw closed
without being fixed.
Forgetting about the KDE screensaver bug for a minute, this piece of code
(webcollage) is just to dangerous to have buried inside the xscreensaver package
where the unsuspecting user could run it not knowing what it really does and
what kind of trouble they could get into by running it.
IMHO, it's basically playing Russian Roulette with web images. Maybe that sounds
a bit drastic but there are many images out on the Internet that could get you
fired or land you in jail.
(In reply to comment #7)
> Forgetting about the KDE screensaver bug for a minute, this piece of code
> (webcollage) is just to dangerous to have buried inside the xscreensaver > package
> where the unsuspecting user could run it not knowing what it really does and
> what kind of trouble they could get into by running it.
- For xscreensaver webcollage is _disabled_ by default.
- Even webcollage is enabled by user on using xscreensaver,
currently (fedora) webcollage is changed so that webcollage uses
no net connection.
One more note:
- Even when webcollage is used by gnome-screensaver, I changed
webcollage desktop so that webcollage uses no net connection by
default (see changes on xscreensaver 5.01-4)
> I changed webcollage desktop so that webcollage uses no net connection by
> default (see changes on xscreensaver 5.01-4)
How exactly? I assume the implication here is that kde's use of it isn't
following/using that "no-network" configuration?
I didn't configure webcollage to use a net connection, either it came this way
or the KDE bug caused it to use a net connection.
(In reply to comment #10)
> > I changed webcollage desktop so that webcollage uses no net connection by
> > default (see changes on xscreensaver 5.01-4)
> How exactly? I assume the implication here is that kde's use of it isn't
> following/using that "no-network" configuration?
On xscreensaver, webcollage default is:
- default-n: webcollage -root \
-directory /usr/share/backgrounds/images/ \n\
On gnome-screensaver, xscreensaver-webcollage.desktop has
Exec=webcollage -root -directory /usr/share/backgrounds/images
Whether a KDE bug caused this issue or not isn't really my issue.
My issue is that it should not have been possible for this to happen, even by
accident. Really, it's only a perl script, a user could just run it to see what
it does and by the time they find out the damage may have been done.
The only acceptable solution in my mind is to remove this piece of code from the
packages. If a user really wants to run it let them download and install it
outside of the repositories.
Rex, you should probably add the option -directory
/usr/share/backgrounds/images/ desktop files, or just get rid of it
Re: comment #14
Sorry for the delay, finally got round-tuit:
* Fri Jul 13 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-2
- webcollagerc: [directory] /usr/share/backgrounds/images/ (#227683)
* Mon Jun 11 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-1
Dunno about the general feature request wrt kde ignoring xscreensavers'
"disabled bit", that's something best taken upstream.
kdeartwork-3.5.7-2.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.