Re: This is quite interesting

I'll bite.

Earlier today I came across a relevant Debian/Ubuntu stale package situation. I wanted an XMMP client. Liking minimal, I took a shot in the dark and chose Cabber. I couldn't get it to work and the promised config file was not to be found, nor visible on the net. A little searching and I discovered that Cabber was a dead project and had long since been succeed by Mcabber. Fine, so I install that. Still the same problem with the whole package not being there, however I fixed that in short order and it looks like things are fine.

What I came away with was that these programs are in the Debian repository and seem to be transferred to Ubuntu repositories without anyone checking to see if they actually work! I posted here some months back regarding another program in the same category. That program is gramofile and was last seen to work with Ubuntu 6.04! Yep, it's still there to install and get people thoroughly frustrated.

I can easily accept that no developer has made the time and effort to fix these packages for me to enjoy. However, I don't think it's appropriate that they are left in the repositories long after they don't work. If they are there as place keepers, that's good, but it would save a lot of people a lot of trouble if there was a not to that effect.

Re: This is quite interesting

I've commented on this kinds of postings before and here and here so I won't repeat what I've written before, except to add that we also have the problem of possible MS "Technical Evangelists" trying to trying to stir the pot.

Re: This is quite interesting

gg, you didn't miss anything worthwhile with Windows ME. It was nightmarishly bad even by Microsoft standards.

In the case of the Firefox upgrade problem I really do have sympathy for some of the complaints. I was stuck using a very old (3.1 or 3.0 I forget now) version of Firefox until just last week 3.6.6 finally appeared in the update notifier on my 8.04 Hardy machine. It isn't that I needed the new features or anything, but I have some concerns because using such an old browser means some websites may not work if they depend on new technologies like in HTML 5. Also I am always paranoid about security and using such an old browser really makes me worry when there are known flaws being actively exploited against it.

Another case I can cite is MPlayer. There have been some new features added to certain codecs and many encoders have updated to the latest tools for these features. The old version of MPlayer from the Hardy repos (and even the one in the Jaunty repos) did not support the latest version of the codec. Nor did Kaffeine on Hardy, and nor did Dragon Player on Jaunty. (Sorry that I can't specify exactly which codec was involved, but I don't understand some of these codec things even after reading them a few times.) My solution to this one was to add a PPA provided by the SMPlayer devs to keep MPlayer up to the latest stable version from upstream.

Anyway, I didn't start this thread to rant about problems which are ultimately my own to solve. I find solutions which work for me, sometimes with a little help from the forums or on IRC. It just seems to me that there are some real underlying problems worth discussing here, especially if you look at it from the perspective of people who don't understand computers or who come from a long term Windows user background.

@everyone, Does it take too long for Kubuntu to get bug fixes, security updates, or the latest version of your favorite program? Do you think installing them is more difficult than it needs to be? Any other thoughts about the thread I linked in the OP?

Re: This is quite interesting

It is an interesting commentary. Really he's commenting on the entire open source development model, although it's directed at Ubuntu. The same issues apply to all distributions of Linux.

I've thought a lot about the same things, but I really don't have anything constructive to add. From the "customer" perspective, it's certainly more convenient when you have a go-to organization at which to lodge your complaint. With FOSS "products", there's no there there -- if you are capable of fixing the issue yourself, you have all the tools available to do so. If you're not capable, then you're out of luck.

From the "direction" perspective, there's also no there there. If individual developers are inspired to write another text editor, that's what you get, even though there are already dozens of them. If no developer is inspired to design a top-class professional genealogy package running on MySQL, then that's what you don't get. It's not as though you can direct it. More like a herd of cats than a real organization, for better or worse .... but perhaps that is the actual value of FOSS.

[/offsoapbox]

Re: This is quite interesting

I have often thought about it too. I think you nailed it: "that is the actual value of FOSS." In fact, that is a constructive comment.

Re: This is quite interesting

A few rambling thoughts......
I think most, if not all, Linux distros have fairly well laid down priorities:

1. Security updates
2. Bug Fixes
3. New updated packages.

I can understand it to an large extent. They focus on getting all the new stuff sufficiently stable for when they launch the next distro version rather than unleash a load of backports on a user base that typically wants stability. However, when that very same user base learns of a new version of openoffice for example, they typically want it right away, often forgetting why they chose Linux in the first place, and many then wish the distro was like windows i.e download and install.

I personally think ubuntu does a pretty decent job of getting 1 and 2 out of the door, although sometimes they can be a bit slow say with firefox updates. (having said that I note that the official 10.04 repos have now reached version parity with the mozilla builds). I'm particularly impressed at the speed with which KDE updates become available to us.

If we want category 3 then generally we have to wait until a distro upgrade but isn't that what we all bought into when we got into this? Usually though, impatience gets the better of me as well and if there is a newer version available in a ppa then I'll have a go for it. This does, however, raise the question of security etc. I just wonder to what extent (if at all) are the packages made available in ppas regulated by the distro?

Re: This is quite interesting

You make some good observations, Liquidator.

I know we do get updates for a lot of things, most of which I habitually install without paying much heed. But when it comes to Firefox I pay attention. See, the web browser isn't just a simple text viewer any more. It is my window out to a world of dynamic media, as well as a platform for web enabled applications I use. What this means in terms of security is that the web browser is an operating system inside an operating system. I know Linux itself is relatively safe (compared to other OSes) against remote attacks as long as I keep the doors closed, but I can't say the same for my browser unless I'm running the latest, fully patched version.

In the case of MPlayer as I mentioned above, I have no idea what's stopping Ubuntu from packaging up the latest version for the repos. This is about having full use of the software you understand. If your media player doesn't support the latest version of the codecs then you might as well consider it useless.

When most people think of stability they think of something that can stand on its own without falling down, such as a table with 4 legs. The stability I think you are indirectly talking about mean something that does not change. The two concepts are related of course because software changes can cause problems on established systems in a myriad of ways. However I think what most people want is something that will be both reliable and reasonably up to date without negatively impacting what they already have.

I'm all for backports if they can accomplish such, and I think that's exactly what you'd call the Firefox 3.6.6 update I got last week. It's going into the repos for the latest Kubuntu release, and being backported to 8.04 Hardy at the same time (thank God!). I would not be as concerned about the latest Open Office unless I knew that it had feature upgrades or bug fixes I desperately need. In the case of Open Office, I don't think resorting to PPAs is an unreasonable trade off.

As to whether the Kubuntu team (or Canonical) actually monitors PPAs at all, I have no idea. All I know for sure is that they are officially said to be unsupported by Canonical.

Underlines are mine. So by that I guess they mean there is no guarantee of quality, compatibility, or security of the software provided.

Re: This is quite interesting

Definitely agree with you 100% about the browser - I see that as being potentially the most vulnerable part of the modern computer. It would therefore be completely false to claim to be supporting a distro whilst not keeping the browser up to date, particularly as most point.point increases are specifically to address vulnerabilities.

On mplayer, my brief look at the ppa would suggest that the version there (2.1.0 rc3) would appear to be the same as in lucid so they would appear to have given it category 3. Whether that's appropriate of course depends upon the differences between the 2 but I would imagine that they Canonical define them as functionality upgrades so their stock answer would presumably be to install lucid. Whether that's feasible or desirable for you to do so I wouldn't venture to suggest as you have your own reasons for sticking with 8.04 at the moment.

Re: This is quite interesting

The idea of the browser being an OS within an OS is very good. Particularly in the context of this discussion. However, Ubuntu supports at least four fully functional browsers so we are not just talking about "the" browser. They all need to be up-to-date. Or do they? I mean what exact vulnerabilities are we talking about here? What actual compromises has anyone experienced?

Re: This is quite interesting

When I first began experimenting with Kubuntu I had problems with full system upgrades to the new releases. At that time I made a firm decision to stick with the latest LTS on my everyday system and only install the 6 month releases on less important systems. (I don't think I have to explain to anyone here that, at least for some people, the upgrade from KDE3 to KDE4 was a complete disaster and I want to avoid that at all costs.) In any case, I always do a clean install to bypass any possibility of upgrade problems. The latest Kubuntu uses EXT4 filesystem and to get maximum performance the recommendation is to install to an empty hard disk, so it is even more important this time.

Good point. Konqueror, Opera, or whatever other web browser people use deserve consideration as well.

Konqueror on my 8.04 Hardy system is quite old. Personally I don't use Konqueror for web browsing very much though because it just plain doesn't work as well as Firefox with some pages like YouTube. Firefox also seems to be much more forgiving with pages that are not fully standards compliant. These things are definitely not the fault of Konqueror, but the web evolves too quickly for me to continue using an outdated version of Konqueror.

The ones that worry me most included remote code execution and privilege escalation. These type of exploits allow compromised web pages to execute programs on your computer with permission to do things beyond what the browser is normally capable of. Think of all the data about yourself which you type into web pages, especially if you do banking online, and imagine that information in the hands of crooks. This scenario is a million times more common for users of non-Linux operating systems, but it can happen on Linux too. The mere fact that Firefox is common even among Windows and Mac users means crooks have incentive to exploit its vulnerabilities.

Edit

Please note that I am not trying to panic anyone. If you are using Kubuntu then you are much less insecure than Windows users thanks to Unix permissions. I am just saying that all programs have vulnerabilities which can be exploited regardless of the operating system. Not everyone is as paranoid as I am, but thinking about security is the duty of all system administrators. If you are concerned about security in Firefox, like I am, then please consider using NoScript to block all Javascript, Flash, and Java.

Re: This is quite interesting

I used to include the installation of Noscript as one of the first things I did whenever I reinstalled Ff. However, I eventually decided that the sum of the minor aggravation caused by Noscript at nearly every site I ever visited was greater than the major aggravation that I would suffer if I ever had to do a reinstall in the event of infection by Javascript malware.

Re: This is quite interesting

I use FF for general browsing, Dillo for major papers and news sites, Galeon for a selection of regular pages, and Epihany for music sites. Apart from Dillo, the others are completely functional and up to date. For convenience, these all occupy their own desktops. It is essential to use different browsers because the way KDE handles programs all instances crash if one does. Using a single browser with KDE is just not workable IMHO.

Anyway, back on topic, I'm still concerned about the security issue. Philosophy is fine, and to me very important, but what about actual experiences? Are there any verifiable reports of browser vulnerabilities causing any real world problems? I would like to hear some because it would be very relevant (I think essential) to this discussion.

Re: This is quite interesting

IMHO that is absolutely insane, but far be it from me to criticize a solution you found yourself which works for you. I'm a little surprised you have trouble with FF crashing though, because it only rarely ever happens to me. The usual culprit is the Flash plugin, infamous for its many bugs and vulnerabilities. FF has session recovery though, so even when your browser crashes you ought to be able to continue where you left off after starting it again.

I agree it is important. I can't recall any vulnerability in FF being exploited in a widespread fashion the way it happens so frequently with a certain other browser. The Mozilla crew fixes problems pretty quickly. Just to keep me honest, have a look at the security advisories for the browser I was using until just last week. See how many instances of the phrases "code execution" and "privilege escalation" you find on that page.

Re: This is quite interesting

Hmm that Security Advisories for Firefox 3.0 page has a lot of "critical" vulnerabilities on it. That's for Linux? I don't think so. There may be something there but I think this highlights the problem. Much security talk around Linux points to Windows for examples.

Regarding Firefox crashing. I find some wierd and busy pages will cause a FF fault if you back out too soon. I normally avoid those kinds of sites anyway. Note however, that I typically have a lot of windows open in all the browsers. FF gets the brunt of it and I don't clean up before it hits about 50 windows, and they stay there for months some times. I notice that many people have a much more gingerly approach to their desktops than I do. I've even seen people who go so far as to only use one! Using all the browsers that come with KDE is just a bit of convenience for me. Apart form a couple of very desirable web developer plugins for FF, all browsers look the same to me.