[Kommander-devel] Kommander is insecure?

Eric Laffoon eric at kdewebdev.org
Thu Aug 31 11:37:36 EDT 2006 

On Thursday 31 August 2006 3:27 am, Andras Mantia wrote:
> On Thursday 31 August 2006 13:31, Michal Rudolf wrote:
> > Andras Mantia,  czwartek, 31 sierpnia 2006 12:12:
> > > You should read https://bugzilla.novell.com/show_bug.cgi?id=196195
> > > and start to discuss with the KDE security experts how to solve
> > > this problem.
> >
> > I didn't see any up-to-date security problem listed, just "being a
> > nightmare" isn't exactly a bug report.
> >
> > It looks rather like one of those fruitless *.advocacy discussion to
> > me, but let's hear Eric's opinion.
>
> Well, if we want in kdebase we must convince Coolo and Dirk that it is
> safe. So we should start a discussion with them.
>
> Andras

This is one thing that really irritates me as it's not the first of such 
comments coming from people I greatly respect in KDE. There are two things 
brought up here. One is the fact that we had a security issue, which we 
addressed and fixed. The other is that they don't see why people would use 
it... How strange that developers see something outside the box that empowers 
users and miss the impact as they already have this power as a developer. 

In other words the root problem here is prejudice. They have opinions based on 
insufficient data, and you are both right. The answer is education and 
coordination. In point of fact Quanta faces just as many security issues with 
it's use of KActions and executing scripts as well as KNewStuff, which we 
addressed security issues in. Maybe if we open a dialog we can get them some 
relevent information other than "it had a security bug a year ago". I would 
really like to not just have the executor available by default, but actually 
win over these guys to more than a grudging acceptance of Kommander if 
possible.

Also the KMail and location issue is a red herring. We did not know what KMail 
did to manage security for programs it knows about and our answer was to 
address things as best we could according to how we saw KMail operate. It 
would be much better if KMail were on top of Kommander issues too. In fact if 
kmdr-executor were in kdebase we would have all of KDE coordinating with us 
to help us insure the best security. However our work on KNewStuff ought to 
show we know how to do security.

BTW last I checked there are 67 apps at kde-apps.org in the Kommander category 
and apps like Katiuska are not included. ;-)

I think I may answer on the bug and also send Coolo and Dirk an email. I'm 
also thinking I ought to do a welcome to Kommander introduction and best 
practices tutorial and post it on the dot. Andras, how do you see us best 
addressing this?
-- 
Eric Laffoon
Project Lead - kdewebdev module

More information about the Kommander-devel mailing list