
Debian XScreenSaver package maintainer responds - ashitlerferad
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819703#425
======
click170
It's OK to have your own definition of what 'stable' software is. For some
folks, its what's on the master branch of the repo, for others its software
that's been tested for years by a large community already.

Debian has a specific documented process of how their stable releases are
produced, and though that can cause problems for some developers because they
get bug reports for old versions, that specific documented process is part of
what makes Debian special to me.

I sympathize with devs for having to put up with those bug reports, but
putting messages into the software _to specifically goad the OS package
maintainers_ is just poor form. Surely there's a better way to have handled
that.

~~~
rossy
I feel like it's possible to be wrong about your definition of stable software
though. Software is not like wine. It doesn't become better just from leaving
it alone for a few years. In fact, all software has bugs and developers are
constantly struggling to fix them. In the case of a screen-locker like
XScreenSaver, it's also security-critical software, so the developer(s) are
constantly in a race against people who want to exploit the bugs. Using a
version from 2014 instead of the latest stable version is not just a
opinion/preference, it's a bad idea, and I think jwz is totally right in
saying that it's better Debian don't package it at all than package an old
version.

~~~
caf
The Debian maintainers _do_ backport security fixes to the older version
they're shipping, though. Eg. for the package in question here we have:

    
    
      xscreensaver (5.30-1+deb8u1) jessie-security; urgency=medium
    
        * Add upstream patch for "xscreensaver aborts when unplugging second
          monitor" security issue (closes: #802914)
          http://www.openwall.com/lists/oss-security/2015/10/24/2
    
       -- Tormod Volden <debian.tormod@gmail.com>  Sun, 25 Oct 2015 11:35:52 +0100
    

Keeping the old version isn't supposed to imply _" it has no bugs"_ \-
instead, it's based on the idea that _" if if works for you now, it will
continue to work for you"_. In other words, you can be reasonably sure
distribution point updates won't break anything that you're relying on.

~~~
vacri
Given that this is a saga that's been going on for years, I wonder why debian
hasn't just put it into stable-backports?

~~~
ashitlerferad
You might want to read the response, there were no changes worth backporting.

------
wtbob
> The pop-up message may be direct, but is it not attacking any minorities,
> genders or sexual preferences.

How is that relevant to _anything_? Something can be bad without attacking
minorities, genders, sexual preferences, Packer fans or Packard drivers.

~~~
PeCaN
Well, for one thing, it's not offensive. Attacking minorities, genders, and/or
sexual preferences can be offensive. A popup calling out Debian on their
ridiculous version lag is not. So... who cares, really.

~~~
me_bx
> So... who cares, really.

People who see an annoying xScreensaver popup each time they boot their
machine or when their machine wakes up from screensaver...

Worth noticing that the popup mentions xScreensaver's author's email address,
which probably doesn't help him getting less bug reports....

------
levemi
For context, see the author's take[0], who would like debian to stop shipping
xscreensaver if they wont update it since the author gets lots of support
requests for things fixed in newer versions.

[0] [https://www.jwz.org/blog/2016/04/i-would-like-debian-to-
stop...](https://www.jwz.org/blog/2016/04/i-would-like-debian-to-stop-
shipping-xscreensaver/)

~~~
will_hughes
Please don't link to jwz.org from here, it redirects to a NSFW image when the
referrer is HN.

~~~
Symbiote
Perhaps a link like this is appropriate in this case:

[http://nullrefer.com/?https://www.jwz.org/blog/2016/04/i-wou...](http://nullrefer.com/?https://www.jwz.org/blog/2016/04/i-would-
like-debian-to-stop-shipping-xscreensaver/)

~~~
tlrobinson
Nice, good to know about that.

It would be pretty amusing if HN put in a special case to use this for links
to jwz.org.

BTW if you use https, i.e.
[https://nullrefer.com/?http://www.xhaus.com/headers](https://nullrefer.com/?http://www.xhaus.com/headers)
there won't be any Referer at all, while
[http://nullrefer.com/?http://www.xhaus.com/headers](http://nullrefer.com/?http://www.xhaus.com/headers)
will show nullrefer.com as the referrer.

~~~
DanBC
Open in incognito window works.

------
digi_owl
The whole situation is nuts. And it boils down to how rigid the package
management system is on traditional distros. And no, the likes of xdg-app will
just rellace one problem with another. As i see it the solution is more likely
found in the likes of NixOS/Guix or Gobolinux. There updating a dependency
tree piecemeal is straight forwadd, without having the whole tree duplicated a
million times over.

~~~
lake99
I think the whole situation is nuts too, but for a different reason: JWZ
expects bug reports as emails. It's easy enough to install Bugzilla, Trac, or
whatever on his own server. If he doesn't want to make the effort, so many
public repo hosts have integrated bug tracking tools. Some of these can
mandate entering the version number. People can also check if their bug has
been reported already. He could automate replies for bugs reported against
older releases. There are so many advantages that it would be tiresome to list
them all out here.

Instead, JWZ requires users to send him emails, and he makes his email id
prominent. At this point, I'd be OK with stripping off his notice, because
he's not making life easier for anyone else either. Not that I'm affected by
what Debian does; I run Arch and have the latest software already.

~~~
digi_owl
I suspect his thinking is that the barrier of entry for reporting is much
smaller if all it takes is an email.

Also, i think he got burned on bugtrackers while dealing with Gnome bugs. That
lead him to formulate CADT and abandon Linux for OSX.

~~~
lake99
I can sympathize with his issues with Gnome bugs. But corporate-driven
software is no different. I too have been subjected to a similar treatment on
Google Chrome's bug tracker. I stopped reporting bugs there years ago.

Closed-source software is no different. Had MS and Apple allowed the public to
raise bugs against their software, we would have been subjected to a similar
treatment there too. For example, the last time I used iTunes on Windows (10+
years ago), it would simply delete all my ID3 comment tags, and write its
incomprehensible garbage. _Years_ of hard work, gone in seconds. They did not
even have the decency to warn users before they did that. Having lost all my
comments, I tried using iTunes for a few months, until more and more bugs made
the software simply unusable. I got rid of iTunes, installed Rockbox on the
iPod and enjoyed the device for a few more years.

I know I went off on a tangent, but my point was that CADT-like symptoms are
endemic to all rapidly-changing software.

Anyway, how he would administer his project's bug tracker has nothing to do
with how Gnome runs theirs. I can come up with easy solutions that makes both
Debian users and JWZ happy with his current report-bugs-by-email system. But I
don't see the point of making the effort. I don't think JWZ reads HN, and even
if he does, he comes across as a stubborn and bitter person, at least as far
as this topic is concerned.

When I read this on his XScreenSaver FAQ:

> There aren't any FAQs about the MacOS version because, well, unlike Linux,
> MacOS just works. Sad but true.

I remembered all the times my Mac-using friends have come to me, asking for
help with odd problems on their computers. I turned them all away because I
didn't know solutions to any of their problems. If I ever meet JWZ in person,
as unlikely as it is, the entire field of software will be on my banned topics
list.

~~~
digi_owl
Heh, he do sometimes seem to have the signs of someone so burned by one "side"
that he has gone fanatic for the other.

------
kogone
irregardless of the coverage this has gotten.. author's request should honored

how can it be deb stable if the author is getting spammed about issues.

kind of seems to be at odds with the best things about Debian.

~~~
digi_owl
Debian stable operates under the "better the devil you know" principle.

Thus often various bugs that are not security related will not get patched
because that may well disrupt production installs more than leave it be and
have the local admin implement a workaround.

JWZ's definition of stable is more akin to what you get out of the kernel devs
or FSF's software. A codebase that has been tweaked and fixed over time.

You can see this in how he laments the rewrite(s) of Netscape Communicator
after Mozilla was formed, and CADT. Formulated after Gnome devs invalidated
long standing bug reports of his, because the relevant Gnome part was to be
rewritten from scratch once more.

Stable is in essence one of those context sensitive terms...

------
shmerl
KDE doesn't even support XScreenSaver anymore.

~~~
pritambaral
What do you mean? That KDE doesn't let users choose from a list of
screensavers that includes XScreenSaver?

I just tested out XScreenSaver on KDE. As long as I set up the process and
keyboard shortcuts correctly, I can still use it (Yay, standard APIs). (Of
course, I am limited to keyboard shortcuts and not the 'Lock Screen' buttons
in KDE).

~~~
shmerl
Yes, I mean the standard lock screen. Of course you can explicitly run it.

