Decade Old KDE Bug Fixed

hypnosec writes "How long does a bug take to get resolved? A week? A month? A year? Well, a bug prevalent in the KDE libraries since 2002 has finally been resolved after a decade it has been revealed. The bug was present in the "Reject Cross-Domain Cookies" feature of KDE Libraries. Thiago Macieira noted in the KDE Libraries Revision 974b14b8 that he observed that his web cookies were being forgotten following a kded restart."

Can't decide if it's embarrassing or impressive

[eksith]

Maybe a little of both. Clearly, they had other priorities and this just fell through the cracks.

"turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

Re:Can't decide if it's embarrassing or impressive

[dubbreak]

After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

I've had a similar experience. I was working with a system and found a bug that had been around since the initial system (>3 years), and jumping into the old source control (I had to crack open visual source safe since that's what they were using originally..blech ..moved to hg after I started and bitched that even cvs would be better). Basics of it were: request sent, response received but ignored/not read, retry sent, original message response used. It kicked into a retry sequence even try despite having a response. Eventually this caused issues communicating to a certain device. Put the sniffer on and voila, see double requests despite getting an immediate response. No one ever noticed because it didn't cause issues with any other devices. Yes, extra traffic on the bus, but there was plenty of bandwidth and most of the devices handled it fine. It should have been caught in original testing. When writing your own protocol to talk over serial you'd assume they'd do a little more testing than a sniff test ("oh.. looks like it's working. Good enough for production! Let's ship it!"). I spent most of my time fixing bugs and most were that old but that's the only one I can remember that you would think would have been noticed earlier.

Re:

[wmac1]

No one noticed their cookies are removed without any reason? "IF" no one really noticed that, then I would ask myself what kind of people have been using it.

Or perhaps there were more important bugs and problems and people did not push on this one?

Re:

[Anonymous Coward]

Software is so complicated and diverse these days, it's hard to tell which is normal behaviour and which is not.

Honestly though, isn't forgetting cookies a GOOD thing?

Re:Can't decide if it's embarrassing or impressive

[SomeKDEUser]

I tend to consider my cross-domain cookies getting lost a feature. I never noticed the bug -- and I have been using KDE since before it was introduced.

There are legitimate uses for cookies, for sure, but the vast majority of them seem to serve no other purpose than tracking me. Which is occasionally fine in the case of wikipedia or slashdot keeping me logged in, but in the vast majority of cases _not_ OK.

Whaaaa?

[Safety Cap]

How the fuck can a text file track you or do anything at all?

Easy: give it some duct tape and a magnifying glass, then stand back.

Re:Can't decide if it's embarrassing or impressive

[Enderandrew]

Reboots aren't as necessary in Linux.

And I'm assuming that this only affects KDE cookies, so you'd only see this if you used Konqueror as your browser. I imagine most KDE users are using Firefox, Chome or another browser like that.

Re:

[BrokenHalo]

Does anyone actually use konqueror? I can't imagine why, it's horrible. That said, I have no beef about the rest of KDE, though I really did hate it for many years when it was kluttered and kfucking kfugly, but now it is as elegant, feature-rich and usable as I could wish for...

...Unlike Gnome, of which I really was a big supporter since ~1997 but which since version 3.0 is (for good reason) about as popular as a dose of the clap.

Re:

[hobarrera]

Reboots aren't as necessary in Linux.

Sure, if you want to run the same kernel for the rest of your life, that's true.

Re:

[Enderandrew]

http://www.ksplice.com/ [ksplice.com]

You can even swap kernels without a reboot.

Re:

[Blaskowicz]

I had to reboot lately, because Firefox was a zombie process and still taking 1.5G of memory. Its parent was init. For the first time, I did a kill -1 -9 to see what happens (kills everything but init) this gives you a black screen and losing all input to do anything with the computer. I should haved killed init to see what happens lol.

Doing something without reboot is also a test on your admin skills (I'm sure a user barely able to edit /etc/fstab will just reboot instead of doing a mount -a, and so on.)

Re:

[fnj]

I did a kill -1 -9 to see what happens (kills everything but init)

Um, pretty sure that should be kill -9 -1

Re:

[dubbreak]

Reboots aren't as necessary in Linux.

My thoughts exactly. I pretty much never rebooted my Linux desktop. Laptop.. yes because hibernate didn't work right.

Some people also set their browser to delete cookies every time they close the browser (I usually set one to do this so I have something clean for testing).

Re:

[lbbros]

The issue only occurred if the KDE daemon (kded) was restarted. With normal usage, this never happens (only if you are testing things, or a crash).

What abot the many eyeballs?

[williamyf]

After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

"With enough eyeballs all bugs are shallow" Right?
Well, the theory of the many eyes say that someone somewhere should have noticed/reported/tracked this bug sooner rather than later.
this comes to prove that many eyes are NOT enough. First you need more than merely many eyes, you need many QUALIFIED eyes.
Second, you need to complement your (many) eyes with systematic test cases to so some QA, trying ad a modicum of rigor, instead of, you know, letting the QA become an ad-hoc subjective process...

Re:

[Sigg3.net]

Well, relevance will probably have something to do with how many eyes etc.

Security and stability bugs have many eyes looking.

Re:

[BrokenHalo]

If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed?

Since I don't use konq, I never noticed this bug, but in any case I would call this a feature, since I actually use a script to routinely delete any cookies files. While I realise cookies might be delicious, I don't care to be tracked by friends of acquaintances, so (as far as is conveniently possible) I don't choose to let them.

Re:

[Anonymous Coward]

Can't decide if it's embarrassing or impressive

There's a Slashdot rule about that: if we're talking about open-source, it's impressive, if not, it's embarrassing.

Re:

[phantomfive]

Pretty near all large software has bugs in it. It's not surprising that a large codebase a decade old will have bugs a decade old. This particular bug doesn't seem to be in a code path that is executed very often, and that is where bugs hide. That's why you should make your infrequently executed code as simple as possible.

Re:

[suy]

Can't decide if it's embarrassing or impressive. Maybe a little of both.

Or none of the above. ;-)

Reading the reply from adawit [kde.org], seems more like in some rare situations that involve restarting the "cookiejar" (the service that stores the cookies), there is possibly undefined behaviour (depending on what the compiler does).

I think is an interesting bug fix, and maybe even a nice blog post from the developer, but I don't think is worth the Slashdot frontpage, even less with that headline.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[vurian]

Ah, right. So the fact that this bug was caught means that the idea that opening the source for lots of people to check out means bugs get caught is false? In other words, the fact that this bug was caught means the idea that bugs get caught is wrong?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[F.Ultra]

Actually in reality many people carry out all your points. For example where I work we routinely perform source code scrrening of all the software that we use for mission critical stuff. And I do not believe that we are alone in doing that.

Further the very fact that the FOSS projects have their sources available means that all companies that develop source code validations services (like Coverty) screens lots of FOSS sources for free during their development of their products since that is the only massive

Re:

[Samantha Wright]

'Many eyes' is a statistically valid principle, just over-trusted. You're right that it's not a guarantee that bugs will be found, understood, and fixed more quickly as staff are added, but as long as developers (and testers) aren't slacking off due to herd mentality effects, the rate of finding bugs cannot be any worse than it is with fewer people. It's a submodular function.

...also, if you have an infinite number of programmers reviewing the code at the same time, however, it is certain that all bugs will

Re:

[Anonymous Coward]

But he's not wrong.

Re:

[unixisc]

Winshill? Have you even read what he's been saying about Microsoft, Ballmer and Windows 8 lately?

Re:

[unixisc]

The source code advantage as far as bugs go is that if someone finds it, and has the skill or the money to hire that skill, one can discover where that bug is and fix it. You are right - it is more of a theoretical possibility than an actual probability, but still, even for this, having the source code for all the software one has is better than not having it. That way, if one finds the bug and has the skills to know where to look and what to do, one can debug the stuff. Not possible w/ closed source, wh

Re:

[TubeSteak]

"turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

So what should the value have been?

Re:

[buchner.johannes]

false. But I don't understand how it ever became 127, because it is of type boolean.

Who Cares?

[terbeaux]

There are bugs much older than this in the wild. Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

Re:

[Anonymous Coward]

yeah because users should have to get a phd in cs and fix the bugs themselves! open source fukken r00lz dude!!!1

open source means never having to take responsibility for releasing a shitty product...

Re:

[Tailhook]

open source means never having to take responsibility for releasing a shitty product

I guess I have to agree with you. At least this place seems to be inhabited with people that believe open source is an excuse to neglect work. I pointed out [slashdot.org] a 12 year old bug fixed in the latest Mozilla release and get modded Offtopic. Mozilla developers aren't working for kudos... but damn you if you offer the slightest criticism.

Re:

[Runaway1956]

Arrogant and patronising?

Many of us would agree that it is YOU who is arrogant. You seem to assume that the software should function just as you demand that it should, and that when it does not, someone else is at fault. We can make an argument that you are part of the Great American Instant Gratification generation.

So, you can't program. Or, maybe you can program, but don't have the time or the skill to fix the problem that really bothers you. You have heard of the bounty system?

Here's a blurb on one

Re:

[F.Ultra]

Regardsless of your knowledge, you still have the possibility to fix it (the can bit). The difference is that with closed software you cannot even if you would know how.

Re:

[rudy_wayne]

With Open Source, if a bug is a real problem, then you can fix it.

Wrong. This is the big lie of Open Source.

• I can submit a bug, but I can't force them to fix it. I have submitted many bugs to various open source projects over the years and none of them have ever been fixed.
  I can write a patch but I can't force them to accept it. Which makes sense -- you can't have random people messing with your code.
  I can only write a patch if I am proficient in whatever language they are using AND I am intimately familiar with the code base so that I know where to look.

Unless you are

Re:

[Teun]

And yet you can fix your system.
Commits are another story.

You fixed it for yourself... +1

[mrflash818]

You fixed it for yourself... +1

Re:

[NotBorg]

Unless you are an expert programmer, with commit access to the codebase, open source is meaningless.

Thanks. I keep trying to tell everyone that open source software is written by experts. It's nice to finally get some affirmation.

Re:

[hobarrera]

It's not just open source: the truth is, windows doesn't have a bug tracker, so you can't see really old bugs.
Windows 7 won't allow users to open/delete/move/do-anything-else on files with some particular characters in their filename. This bug has existed since DOS, so it's actually around two decades old.

Re:

[DRJlaw]

Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

Embarrassing != Troll.

There are bugs much older than this in the wild.

And those projects, whether run as open source or owned by Microsoft or owned by some other closed source shop, should be embarrassed as well. If the bugs are that longstanding, public shaming is probably the only motivation left to drive

Re:

[amiga3D]

Really? I mean I guess I'm glad it's fixed but of all the problems this has to be among the most minor. Amnesia over web cookies is right up there with "there is a speck of dust on my shoe lace." Hell it could even be considered a feature.

Re:

[Runaway1956]

Did you file a bug report? No? Then you didn't care very damned much.

Re:

[jones_supa]

Mozilla also fixed an over decade old bug in Firefox 18 (prevent sending insecure requests from a secure context [mozilla.org]).

Answering the obvious

[Anonymous Coward]

How long does a bug take to get resolved? A week? A month? A year?

You said "decade old" in the title, dumbass!

KDE

[jones_supa]

Heh, gratz for fixing that one. KDE is the best UNIX DE. Reasonably fast, relatively robust, smooth to use, and very configurable. Lots of nice apps and widgets to play with, too.

Re:

[Blaskowicz]

Do I need a SSD to run it? I run my OS on an old IDE drive (data, not /home on a 160GB one) and have a stack of those if I want to try something different.
If I want to try it, and PC-BSD 9.1 or Linux Mint 14 KDE should be awesome OSes, I'd like to have the databases enabled (interfaced with whatever IM/mail/contacts/"PDA" stuff) as it's like the main feature of KDE along with kio slaves. But if I invest time into using it (after learning how to disable the animations crap and the tabbed start menu), and it

Re:

[jones_supa]

I have tested this. KDE is very responsive with a mechanical hard drive too. It seems to preload a lot of stuff into RAM.

Re:

[toddestan]

KDE is better because it has much better hardware support.

Restarting KDE

[Anonymous Coward]

Restarting KDE every ten years sounds about right.

Decade old GNOME bug not fixed

[Anonymous Coward]

https://bugzilla.gnome.org/show_bug.cgi?id=121113

Functionality wasn't affected

[lbbros]

If you read another developer's response to this commit [kde.org] you will see that the actual feature (reject cross domain cookies) was not affected by this blunder: instead the issue was completely different and only occurred when the KDE daemon was restarted.

No one wants to fix unglamorous bugs

[hessian]

People work on problems that are (a) fun to solve and (b) will bring them acclaim.

Tiny, ugly, boring bugs don't do that and so in many software projects they get overlooked the longest.

Déjà vu...

[Kelerei]

...Slashdot reported on a 25 year old BSD bug being resolved [slashdot.org] back in May 2008.

And these are just the ones we know about -- there may be yet older bugs (particularly in proprietary, closed-source systems, where the source cannot be reviewed by the general community).

Pssst. Mozilla...

[Anonymous Coward]

Don't start asking about the number of decade-plus bugs that exist in Thunderbird. More than I could count on my entire family, or probably even entire workplace teams fingers and toes.

Users weren't affected until recently

[Bananenrepublik]

Sorry to spoil the fun, but the developer who found the bug fixed it "after a few months" according to the check-in comment. The code may have been buggy for a decade, but that doesn't mean that anybody was affected during that time. Once someone was affected (the developer), it was fixed in a much shorter timescale than this article makes you believe.

Still hope for 16 year old IE bug

[raymorris]

Perhaps that means there is still hope that the IE Accept bug, documented sixteen years ago, will eventually get fixed. Microsoft did release a partial workaround after fourteen years.

Re:

[blackpaw]

Because its very hard to reproduce, non of the reporters could come up with a reliable way of doing other than "On my system". I myself used to see that bug until kde 4.8. Have never seen it since.

Firefox does this all the time

[rudy_wayne]

Just this month, they have fixed bugs that were originally reported in 2000 and 2001.

browser cookies being forgotten

[scourfish]

This is not a bug to me

Open source?

[antdude]

How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

Re:

[Tough Love]

How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

If it was proprietary software it would have been EOLed by now. Open source... just keeps getting better. You can't unopen it.

Re:

[antdude]

I know, but it is frustrating that no one would fix these bad bugs. :(

Re:

[Tough Love]

it is frustrating that no one would fix these bad bugs.

I guess the bug was not very bad, which you can confirm by RTFA. More to the point: if a bug goes ten years in open source, that's a news item. In proprietary software it's par for the course.

That long to fix?

[fahrbot-bot]

I didn't know the Oracle Java development team also worked on KDE.

Re:

[laffer1]

That's not fair. KDE eventually fixed the bug.

Certainly not the worst example

[Mehmet Kse]

Take a look at this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/128587 [freebsd.org]

One byte, two years.

By the way, how can one say FreeBSD a state-of-the-art system, they used *this* installer for twenty years.
- Hey, we've got a new mirror, let's recompile!

5 more years

[pmontra]

This makes me hope that 2017 will be the ETA for the fix of this one [mozilla.org] :-)

Obligatory disclaimer: no, I can't learn a new (for me) language and a new toolchain to fix it. I'll live with the bug as I did for three years.

Not newsworthy

[Frankie70]

Anyone who has worked on large projects knows that a lot of bugs keep getting punted year after year because they aren't serious, affect very few users etc.

Yeah, but how long

[TheABomb]

has the "ksirtet is no longer in kdegames bug" been ongoing?

I can beat that...

[seebs]

I reported a bug, which was accepted, in NeXTStep 0.8 or so. Last I checked, it's still in OS X. (LoginWindow won't let you enter control characters as part of a password.)

Re:

[Runaway1956]

I hadn't noticed, actually. Of course, the world-famous Anonymous Coward has been here much longer than I have. With a UID of zero, I guess you would know!

Re:

[Tough Love]

The quality of Slashdot comments has really gone downhill.

Really? I liked that one. Droll wit indeed. Deserves upmodding.

Re:

[RockDoctor]

I hope they remove networking capability next

That's a necessity to prevent hacking of the Internet from our OS, for which we remain criminally liable.

and maybe add more DRM.

We just need to ensure that the decryption keys are only ever issued on a robust one-time-use policy over the network, after the user has paid their pay-per-view fees for that viewing of the content. As our corporate customers have been demanding for years. We've got to get rid of the current thing of storing the keys on the media itsel

Re:

[chromas]

I'm sure he meant Propeciatory—as in, "Linux makes you grow a beard".