Bug 227683 - KDE ignores the "disabled bit" in xscreensaver's application defaults file for disabled screensavers.
KDE ignores the "disabled bit" in xscreensaver's application defaults file fo...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kdeartwork-extras (Show other bugs)
6
All Linux
medium Severity high
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-07 10:42 EST by Frank W. Ball
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 3.5.7-2.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-16 12:57:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank W. Ball 2007-02-07 10:42:35 EST
Having the KDE screensaver setting as random and the xscreensaver-extras package
installed causes inappropriate content to be downloaded and displayed. This is
caused by the webcollage screensaver.

This (webcollage) screen saver should be packaged separately and have a clear
indication of the ramifications of installing the package.

I use Fedora at work and at home and have it installed on my childrens machines
as well. A program as dangerous as web collage should not be hidden inside a
seemingly innocuous package as xscreensaver-extras.
Comment 1 Jamie Zawinski 2007-02-07 14:55:40 EST
This is not a bug in xscreensaver, it is a bug in KDE-screensaver.

To the user: you can solve this problem by using xscreensaver instead of KDE-screensaver.

To the developers:

xscreensaver already has a mechanism for having certain savers to be disabled by default even in 
random mode.  It's not necessary to *uninstall* them for them to be off by default.  When you people 
decided to re-invent the wheel by writing KDE-screensaver from scratch, rather than doing the rational 
thing and submitting patches to make improvements to xscreensaver in the areas you thought were 
lacking, you also chose to re-invent all of the bugs that had already been fixed in xscreensaver for 
*more than a decade*.

So, you know, good luck with that.
Comment 2 Frank W. Ball 2007-02-07 15:07:58 EST
I am aware of the politics on this issue and that a bug was previously submitted
but never fixed. 

The point of the matter is that it should not have been possible for me to
unknowningly install a program that randomly downloads inappropriate content.

Disabled or not, I don't want that kind of code on my system or my childrens system.
Comment 3 Jamie Zawinski 2007-02-07 15:24:51 EST
Then you should submit a bug report against KDE-screensaver, as that is what you are running, and that 
is where the bug lies.

FWIW, webcollage can also be configured to only load images from a pictures directory on your local disk.
Comment 4 Frank W. Ball 2007-02-07 15:53:21 EST
Bug or not, that kind of code should not be part of a mainstream distribution or
at the very least be installable completely separately from other packages.
There is too much dangerous content on the Internet today to have something like
this accidentally running.

I am aware webcollage can be configured for a local directory. The problem is
that I was unaware this program was even installed on my system until it started
displaying pornographic images on my screen at work.

I have removed xscreensaver from my system so it will no longer be an issue for
me but it disturbs me greatly that this bug was known about since at least FC3
and RedHat chose to ignore it. Being a long time RedHat user and proponent I
feel really let down.
Comment 5 Ray Strode [halfline] 2007-02-07 16:32:22 EST
Note, we removed webcollage some time ago (FC4?) (except for webcollage-helper
which Jamie requested we leave in to make it easier for users to bring back
webcollage if they wanted).  It may have come back since xscreensaver was moved
to extras, I'm not sure..

Anyway, retitling and reassigning.
Comment 6 Mamoru TASAKA 2007-02-08 09:19:50 EST
Well, first I write a bit of story...

* At the age xscreensaver was in Core package (<= FC5), webcollage
  was removed.
* From FE-6 and so on I took over the maintainership and moved
  xscreensaver to Fedora Extras.
* At the time Jamie and me discussed and concluded that we should
  _not_ remove webcollage any longer because:
  - xscreensaver daemon surely handle webcollage correctly as well
    as other hacks.
  - if other screensaver daemon (such as kscreensaver) cannot
    handle screen hack choice, so the other screensaver daemon
    should be fixed and this is not due to webcollage (sorry I
    use xscreensaver and I don't know other screensaver daemon)
    don't know well other than xscreensaver

So:
- On the age <=FC5, this issue was not present, perhaps. So
(In reply to comment #4)
> this bug was known about since at least FC3
> and RedHat chose to ignore it. 
  is wrong.
- From >=FC6, this problem may happen, if kscreensaver cannot handle
  hack choice by user correctly.

Then:
- Can kscreensaver handle hack choice by user?
- From 5.00 webcollage has the option '-directory',
  which uses the local image file and use no net connection. So
  even if kscreensaver cannot, fixing kdeartwork-extras should
  resolve this issue (perhaps??? I am not a KDE user..)

  Adding Rex to CC list.
Comment 7 Frank W. Ball 2007-02-08 09:48:06 EST
My apologies about the comment on RedHat ignoring it. The bug I saw closed
without being fixed. 

Forgetting about the KDE screensaver bug for a minute, this piece of code
(webcollage) is just to dangerous to have buried inside the xscreensaver package
where the unsuspecting user could run it not knowing what it really does and
what kind of trouble they could get into by running it.

IMHO, it's basically playing Russian Roulette with web images. Maybe that sounds
a bit drastic but there are many images out on the Internet that could get you
fired or land you in jail.
Comment 8 Mamoru TASAKA 2007-02-08 10:03:18 EST
(In reply to comment #7)
> 
> Forgetting about the KDE screensaver bug for a minute, this piece of code
> (webcollage) is just to dangerous to have buried inside the xscreensaver > package
> where the unsuspecting user could run it not knowing what it really does and
> what kind of trouble they could get into by running it.

Note:
- For xscreensaver webcollage is _disabled_ by default.
- Even webcollage is enabled by user on using xscreensaver, 
  currently (fedora) webcollage is changed so that webcollage uses
  no net connection.
Comment 9 Mamoru TASAKA 2007-02-08 10:06:18 EST
One more note:
- Even when webcollage is used by gnome-screensaver, I changed
  webcollage desktop so that webcollage uses no net connection by
  default (see changes on xscreensaver 5.01-4)
Comment 10 Rex Dieter 2007-02-08 10:09:40 EST
> I changed webcollage desktop so that webcollage uses no net connection by
> default (see changes on xscreensaver 5.01-4)

How exactly?  I assume the implication here is that kde's use of it isn't
following/using that "no-network" configuration?
Comment 11 Frank W. Ball 2007-02-08 10:12:42 EST
I didn't configure webcollage to use a net connection, either it came this way
or the KDE bug caused it to use a net connection.
Comment 12 Mamoru TASAKA 2007-02-08 10:19:37 EST
(In reply to comment #10)
> > I changed webcollage desktop so that webcollage uses no net connection by
> > default (see changes on xscreensaver 5.01-4)
> 
> How exactly?  I assume the implication here is that kde's use of it isn't
> following/using that "no-network" configuration?

On xscreensaver, webcollage default is:
-------------------------------------------
- default-n:   webcollage -root                              \
            -directory /usr/share/backgrounds/images/      \n\
-------------------------------------------
On gnome-screensaver, xscreensaver-webcollage.desktop has
-------------------------------------------
Exec=webcollage -root -directory /usr/share/backgrounds/images
-------------------------------------------
Comment 13 Frank W. Ball 2007-02-08 10:29:20 EST
Whether a KDE bug caused this issue or not isn't really my issue.

My issue is that it should not have been possible for this to happen, even by
accident. Really, it's only a perl script, a user could just run it to see what
it does and by the time they find out the damage may have been done.

The only acceptable solution in my mind is to remove this piece of code from the
packages. If a user really wants to run it let them download and install it
outside of the repositories.
Comment 14 Ngo Than 2007-02-08 12:16:08 EST
Rex, you should probably add the option -directory
/usr/share/backgrounds/images/ desktop files, or just get rid of it
Comment 15 Rex Dieter 2007-02-08 12:26:36 EST
Re: comment #14
Agreed.
Comment 16 Rex Dieter 2007-07-13 14:32:07 EDT
Sorry for the delay, finally got round-tuit:
%changelog
* Fri Jul 13 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-2
- webcollagerc: [directory] /usr/share/backgrounds/images/ (#227683)

* Mon Jun 11 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 3.5.7-1
- 3.5.7


Dunno about the general feature request wrt kde ignoring xscreensavers'
"disabled bit", that's something best taken upstream.
Comment 17 Fedora Update System 2007-07-16 12:56:53 EDT
kdeartwork-3.5.7-2.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.