Hacker News new | past | comments | ask | show | jobs | submit login
Debian XScreenSaver package maintainer responds (debian.org)
38 points by ashitlerferad on April 8, 2016 | hide | past | favorite | 40 comments



It's OK to have your own definition of what 'stable' software is. For some folks, its what's on the master branch of the repo, for others its software that's been tested for years by a large community already.

Debian has a specific documented process of how their stable releases are produced, and though that can cause problems for some developers because they get bug reports for old versions, that specific documented process is part of what makes Debian special to me.

I sympathize with devs for having to put up with those bug reports, but putting messages into the software to specifically goad the OS package maintainers is just poor form. Surely there's a better way to have handled that.


I feel like it's possible to be wrong about your definition of stable software though. Software is not like wine. It doesn't become better just from leaving it alone for a few years. In fact, all software has bugs and developers are constantly struggling to fix them. In the case of a screen-locker like XScreenSaver, it's also security-critical software, so the developer(s) are constantly in a race against people who want to exploit the bugs. Using a version from 2014 instead of the latest stable version is not just a opinion/preference, it's a bad idea, and I think jwz is totally right in saying that it's better Debian don't package it at all than package an old version.


The Debian maintainers do backport security fixes to the older version they're shipping, though. Eg. for the package in question here we have:

  xscreensaver (5.30-1+deb8u1) jessie-security; urgency=medium

    * Add upstream patch for "xscreensaver aborts when unplugging second
      monitor" security issue (closes: #802914)
      http://www.openwall.com/lists/oss-security/2015/10/24/2

   -- Tormod Volden <debian.tormod@gmail.com>  Sun, 25 Oct 2015 11:35:52 +0100
Keeping the old version isn't supposed to imply "it has no bugs" - instead, it's based on the idea that "if if works for you now, it will continue to work for you". In other words, you can be reasonably sure distribution point updates won't break anything that you're relying on.


Given that this is a saga that's been going on for years, I wonder why debian hasn't just put it into stable-backports?


You might want to read the response, there were no changes worth backporting.


If you actually look at the changes to xscreensaver upstream (as the Debian xscreensaver maintainer did), you will see that most of the changes only mattered for iOS users so there was little point updating to the latest version, apart from the security fix, which was backported quickly.


Suppose for a minute that it is legitimately impossible to have a secure screensaver older than 6 months. Like, we live in a universe where either we can have secure screensavers, or we can have Debian stable, but not both.

What we have in this situation is an engineer–as far as I can tell, an engineer on the short list of "world experts in lockscreen security"–who earnestly believes that our universe operates in exactly this way.

What is a reasonable thing to do–short of warning end users, which apparently is immature in your mind–to prevent what he believes, as a subject matter expert, to be a major and ongoing security vulnerability waiting to happen?

Should he have released under a non-DFSG license so as to prevent Debian from packaging the software at all? Or should he have politely written to the Debian maintainer asking for its removal from Debian? Should he have gotten into the Debian politics and lobbied for the "special exceptions" that iceweasel etc. enjoy to get frequent updates? Should he have taken it upon himself to backport security fixes to Debian, RHEL, etc?

I sympathize with the OS package maintainers, but I sympathize more with someone who found himself trapped between his commitment to software freedom and his commitment to keeping his users secure.


> found himself trapped between his commitment to software freedom and his commitment to keeping his users secure.

It's more about the spam for already-fixed features than the love of keeping users secure.

jwz also isn't exactly fair in his characterisations in the article. Things like "taking advantage of a creator's work, ignoring their wishes, and giving nothing back in return." when the explicit problem is that they're giving back, just not in the right manner. That's just the way jwz rolls, though...

It would be wrong for debian to remove the warning, though, since it's there specifically for debian users; they're not 'collateral damage' from an unrelated change or similar.


> It's more about the spam for already-fixed features than the love of keeping users secure.

I realize this is the reason presented in the comment, but after I dug into his statements elsewhere, I developed a different picture. Anyway, there's no law that says a comment must present every argument why the code exists.

To step back a minute, I seem to be seeing the same facts very differently. Where some see an immature attempt to annoy users, I see a demonstration that Debian is unable to spot a bug when it has a 50-line comment above it complaining that Debian doesn't fix bugs.

To me, the very existence of this situation itself is a powerful argument against Debian stable as a working concept. Most of the time a bug is introduced it does not announce itself with a preamble. How the hell did this make it all the way to stable?


> I see a demonstration that Debian is unable to spot a bug when it has a 50-line comment above it

That's also an unfair characterisation, especially since the original report starts out recognising that exact comment.

Debian stable is there for a reason - not everyone is in a position where they can have the latest'n'greatest rolling distro. Security is not the only thing that's of interest to users; stability is of interest as well. I see people using rolling distros that get caught up by this bug or that bug, and they can fix it because they're technically-minded, but not everyone can do that.

This xscreensaver issue is an edge case that gets caught in the cracks. I'm sure jwz is also well aware of why debian stable does what it does, but as the recipient of the bugspam, he can probably be forgiven for being less than charitable about deb-stable.


> That's also an unfair characterisation

What specifically is unfair about it? Is it false?

> especially since the original report starts out recognising that exact comment.

I must be missing the part where a postmortem of this feature getting into stable was conducted and lessons were learned. Can you link me?

> Debian stable is there for a reason - not everyone is in a position where they can have the latest'n'greatest rolling distro.

Yeah, and that's why I run Debian stable. But in light of a visible lapse I'm concerned about invisible ones lurking on my systems.


Suddenly "unable to spot a bug" has transmogrified into requiring a post-mortem and lessons for the future learned? That's some pretty hefty goalpost moving.


Are there any distributions that audit all source code incoming from either maintainers or upstreams?

Are there many software projects that have full peer review of every single commit?

Are there many software projects that have more than one developer?


> The pop-up message may be direct, but is it not attacking any minorities, genders or sexual preferences.

How is that relevant to anything? Something can be bad without attacking minorities, genders, sexual preferences, Packer fans or Packard drivers.


Well, for one thing, it's not offensive. Attacking minorities, genders, and/or sexual preferences can be offensive. A popup calling out Debian on their ridiculous version lag is not. So... who cares, really.


> So... who cares, really.

People who see an annoying xScreensaver popup each time they boot their machine or when their machine wakes up from screensaver...

Worth noticing that the popup mentions xScreensaver's author's email address, which probably doesn't help him getting less bug reports....


Pretty sure that's a joke, poking light-hearted fun at the rather over-earnest flames further up in the thread.


For context, see the author's take[0], who would like debian to stop shipping xscreensaver if they wont update it since the author gets lots of support requests for things fixed in newer versions.

[0] https://www.jwz.org/blog/2016/04/i-would-like-debian-to-stop...


Please don't link to jwz.org from here, it redirects to a NSFW image when the referrer is HN.


Perhaps a link like this is appropriate in this case:

http://nullrefer.com/?https://www.jwz.org/blog/2016/04/i-wou...


Nice, good to know about that.

It would be pretty amusing if HN put in a special case to use this for links to jwz.org.

BTW if you use https, i.e. https://nullrefer.com/?http://www.xhaus.com/headers there won't be any Referer at all, while http://nullrefer.com/?http://www.xhaus.com/headers will show nullrefer.com as the referrer.


Open in incognito window works.


This is yet another reason the referrer header shouldn't exist.

(To anyone complaining that they need referrers: Use cases that require the referrer can find another solution. As the jwz.org redirect indicates, referrers leak important information. Do you really want to argue that your use case is so important that it justifies a data leak?)


Yet another reason to install Firefox extensions I guess.

http://www.stardrifter.org/refcontrol/


LOL, that link redirects to a graphic meme hosted on imgur. I'm guessing he has a redirect set up to spot HN referrals. Make sure to open it directly. (i.e. copy-paste into address bar, right-click and open in new tab)


Perhaps HN could do something to automatically wrap jwz links in a web cache.


Oh yeah let's screw with someone's setup, that'll help. Come on, is it that hard to copy/paste an URL?


How is loading a cached version screwing with his setup?


Overengineered workarounds for peoples (access) rules where an alternative is cc/cv away. That brings nothing to anyone.


The whole situation is nuts. And it boils down to how rigid the package management system is on traditional distros. And no, the likes of xdg-app will just rellace one problem with another. As i see it the solution is more likely found in the likes of NixOS/Guix or Gobolinux. There updating a dependency tree piecemeal is straight forwadd, without having the whole tree duplicated a million times over.


I think the whole situation is nuts too, but for a different reason: JWZ expects bug reports as emails. It's easy enough to install Bugzilla, Trac, or whatever on his own server. If he doesn't want to make the effort, so many public repo hosts have integrated bug tracking tools. Some of these can mandate entering the version number. People can also check if their bug has been reported already. He could automate replies for bugs reported against older releases. There are so many advantages that it would be tiresome to list them all out here.

Instead, JWZ requires users to send him emails, and he makes his email id prominent. At this point, I'd be OK with stripping off his notice, because he's not making life easier for anyone else either. Not that I'm affected by what Debian does; I run Arch and have the latest software already.


I suspect his thinking is that the barrier of entry for reporting is much smaller if all it takes is an email.

Also, i think he got burned on bugtrackers while dealing with Gnome bugs. That lead him to formulate CADT and abandon Linux for OSX.


I can sympathize with his issues with Gnome bugs. But corporate-driven software is no different. I too have been subjected to a similar treatment on Google Chrome's bug tracker. I stopped reporting bugs there years ago.

Closed-source software is no different. Had MS and Apple allowed the public to raise bugs against their software, we would have been subjected to a similar treatment there too. For example, the last time I used iTunes on Windows (10+ years ago), it would simply delete all my ID3 comment tags, and write its incomprehensible garbage. Years of hard work, gone in seconds. They did not even have the decency to warn users before they did that. Having lost all my comments, I tried using iTunes for a few months, until more and more bugs made the software simply unusable. I got rid of iTunes, installed Rockbox on the iPod and enjoyed the device for a few more years.

I know I went off on a tangent, but my point was that CADT-like symptoms are endemic to all rapidly-changing software.

Anyway, how he would administer his project's bug tracker has nothing to do with how Gnome runs theirs. I can come up with easy solutions that makes both Debian users and JWZ happy with his current report-bugs-by-email system. But I don't see the point of making the effort. I don't think JWZ reads HN, and even if he does, he comes across as a stubborn and bitter person, at least as far as this topic is concerned.

When I read this on his XScreenSaver FAQ:

> There aren't any FAQs about the MacOS version because, well, unlike Linux, MacOS just works. Sad but true.

I remembered all the times my Mac-using friends have come to me, asking for help with odd problems on their computers. I turned them all away because I didn't know solutions to any of their problems. If I ever meet JWZ in person, as unlikely as it is, the entire field of software will be on my banned topics list.


Heh, he do sometimes seem to have the signs of someone so burned by one "side" that he has gone fanatic for the other.


irregardless of the coverage this has gotten.. author's request should honored

how can it be deb stable if the author is getting spammed about issues.

kind of seems to be at odds with the best things about Debian.


Debian stable operates under the "better the devil you know" principle.

Thus often various bugs that are not security related will not get patched because that may well disrupt production installs more than leave it be and have the local admin implement a workaround.

JWZ's definition of stable is more akin to what you get out of the kernel devs or FSF's software. A codebase that has been tweaked and fixed over time.

You can see this in how he laments the rewrite(s) of Netscape Communicator after Mozilla was formed, and CADT. Formulated after Gnome devs invalidated long standing bug reports of his, because the relevant Gnome part was to be rewritten from scratch once more.

Stable is in essence one of those context sensitive terms...


KDE doesn't even support XScreenSaver anymore.


What do you mean? That KDE doesn't let users choose from a list of screensavers that includes XScreenSaver?

I just tested out XScreenSaver on KDE. As long as I set up the process and keyboard shortcuts correctly, I can still use it (Yay, standard APIs). (Of course, I am limited to keyboard shortcuts and not the 'Lock Screen' buttons in KDE).


Yes, I mean the standard lock screen. Of course you can explicitly run it.


KDE doesn't support any screensavers any more




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: