Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug KDE Open Source News

Decade Old KDE Bug Fixed 129

hypnosec writes "How long does a bug take to get resolved? A week? A month? A year? Well, a bug prevalent in the KDE libraries since 2002 has finally been resolved after a decade it has been revealed. The bug was present in the "Reject Cross-Domain Cookies" feature of KDE Libraries. Thiago Macieira noted in the KDE Libraries Revision 974b14b8 that he observed that his web cookies were being forgotten following a kded restart."
This discussion has been archived. No new comments can be posted.

Decade Old KDE Bug Fixed

Comments Filter:
  • by eksith ( 2776419 ) on Sunday January 20, 2013 @12:51PM (#42640297) Homepage

    Maybe a little of both. Clearly, they had other priorities and this just fell through the cracks.

    "turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

    • by dubbreak ( 623656 ) on Sunday January 20, 2013 @01:21PM (#42640493)
      After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

      I've had a similar experience. I was working with a system and found a bug that had been around since the initial system (>3 years), and jumping into the old source control (I had to crack open visual source safe since that's what they were using originally..blech ..moved to hg after I started and bitched that even cvs would be better). Basics of it were: request sent, response received but ignored/not read, retry sent, original message response used. It kicked into a retry sequence even try despite having a response. Eventually this caused issues communicating to a certain device. Put the sniffer on and voila, see double requests despite getting an immediate response. No one ever noticed because it didn't cause issues with any other devices. Yes, extra traffic on the bus, but there was plenty of bandwidth and most of the devices handled it fine. It should have been caught in original testing. When writing your own protocol to talk over serial you'd assume they'd do a little more testing than a sniff test ("oh.. looks like it's working. Good enough for production! Let's ship it!"). I spent most of my time fixing bugs and most were that old but that's the only one I can remember that you would think would have been noticed earlier.
      • by wmac1 ( 2478314 )

        No one noticed their cookies are removed without any reason? "IF" no one really noticed that, then I would ask myself what kind of people have been using it.

        Or perhaps there were more important bugs and problems and people did not push on this one?

        • by Anonymous Coward

          Software is so complicated and diverse these days, it's hard to tell which is normal behaviour and which is not.

          Honestly though, isn't forgetting cookies a GOOD thing?

        • by SomeKDEUser ( 1243392 ) on Sunday January 20, 2013 @02:08PM (#42640801)

          I tend to consider my cross-domain cookies getting lost a feature. I never noticed the bug -- and I have been using KDE since before it was introduced.

          There are legitimate uses for cookies, for sure, but the vast majority of them seem to serve no other purpose than tracking me. Which is occasionally fine in the case of wikipedia or slashdot keeping me logged in, but in the vast majority of cases _not_ OK.

        • Reboots aren't as necessary in Linux.

          And I'm assuming that this only affects KDE cookies, so you'd only see this if you used Konqueror as your browser. I imagine most KDE users are using Firefox, Chome or another browser like that.

          • Does anyone actually use konqueror? I can't imagine why, it's horrible. That said, I have no beef about the rest of KDE, though I really did hate it for many years when it was kluttered and kfucking kfugly, but now it is as elegant, feature-rich and usable as I could wish for...

            ...Unlike Gnome, of which I really was a big supporter since ~1997 but which since version 3.0 is (for good reason) about as popular as a dose of the clap.
          • Reboots aren't as necessary in Linux.

            Sure, if you want to run the same kernel for the rest of your life, that's true.

          • I had to reboot lately, because Firefox was a zombie process and still taking 1.5G of memory. Its parent was init. For the first time, I did a kill -1 -9 to see what happens (kills everything but init) this gives you a black screen and losing all input to do anything with the computer. I should haved killed init to see what happens lol.

            Doing something without reboot is also a test on your admin skills (I'm sure a user barely able to edit /etc/fstab will just reboot instead of doing a mount -a, and so on.)

            • by fnj ( 64210 )

              I did a kill -1 -9 to see what happens (kills everything but init)

              Um, pretty sure that should be kill -9 -1

          • Reboots aren't as necessary in Linux.

            My thoughts exactly. I pretty much never rebooted my Linux desktop. Laptop.. yes because hibernate didn't work right.

            Some people also set their browser to delete cookies every time they close the browser (I usually set one to do this so I have something clean for testing).

        • by lbbros ( 900904 )
          The issue only occurred if the KDE daemon (kded) was restarted. With normal usage, this never happens (only if you are testing things, or a crash).
      • by williamyf ( 227051 ) on Sunday January 20, 2013 @02:15PM (#42640849)

        After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

        "With enough eyeballs all bugs are shallow" Right?
        Well, the theory of the many eyes say that someone somewhere should have noticed/reported/tracked this bug sooner rather than later.
        this comes to prove that many eyes are NOT enough. First you need more than merely many eyes, you need many QUALIFIED eyes.
        Second, you need to complement your (many) eyes with systematic test cases to so some QA, trying ad a modicum of rigor, instead of, you know, letting the QA become an ad-hoc subjective process...

        • Well, relevance will probably have something to do with how many eyes etc.

          Security and stability bugs have many eyes looking.

    • by Anonymous Coward

      Can't decide if it's embarrassing or impressive

      There's a Slashdot rule about that: if we're talking about open-source, it's impressive, if not, it's embarrassing.

    • Pretty near all large software has bugs in it. It's not surprising that a large codebase a decade old will have bugs a decade old. This particular bug doesn't seem to be in a code path that is executed very often, and that is where bugs hide. That's why you should make your infrequently executed code as simple as possible.
    • by suy ( 1908306 )

      Can't decide if it's embarrassing or impressive. Maybe a little of both.

      Or none of the above. ;-)

      Reading the reply from adawit [kde.org], seems more like in some rare situations that involve restarting the "cookiejar" (the service that stores the cookies), there is possibly undefined behaviour (depending on what the compiler does).

      I think is an interesting bug fix, and maybe even a nice blog post from the developer, but I don't think is worth the Slashdot frontpage, even less with that headline.

    • Re: (Score:1, Troll)

      Comment removed based on user account deletion
      • by vurian ( 645456 )
        Ah, right. So the fact that this bug was caught means that the idea that opening the source for lots of people to check out means bugs get caught is false? In other words, the fact that this bug was caught means the idea that bugs get caught is wrong?
        • Comment removed based on user account deletion
          • Actually in reality many people carry out all your points. For example where I work we routinely perform source code scrrening of all the software that we use for mission critical stuff. And I do not believe that we are alone in doing that.

            Further the very fact that the FOSS projects have their sources available means that all companies that develop source code validations services (like Coverty) screens lots of FOSS sources for free during their development of their products since that is the only massive

      • 'Many eyes' is a statistically valid principle, just over-trusted. You're right that it's not a guarantee that bugs will be found, understood, and fixed more quickly as staff are added, but as long as developers (and testers) aren't slacking off due to herd mentality effects, the rate of finding bugs cannot be any worse than it is with fewer people. It's a submodular function.

        ...also, if you have an infinite number of programmers reviewing the code at the same time, however, it is certain that all bugs will

      • The source code advantage as far as bugs go is that if someone finds it, and has the skill or the money to hire that skill, one can discover where that bug is and fix it. You are right - it is more of a theoretical possibility than an actual probability, but still, even for this, having the source code for all the software one has is better than not having it. That way, if one finds the bug and has the skills to know where to look and what to do, one can debug the stuff. Not possible w/ closed source, wh

    • "turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

      So what should the value have been?

  • There are bugs much older than this in the wild. Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?
    • by Anonymous Coward

      yeah because users should have to get a phd in cs and fix the bugs themselves! open source fukken r00lz dude!!!1

      open source means never having to take responsibility for releasing a shitty product...

      • by Tailhook ( 98486 )

        open source means never having to take responsibility for releasing a shitty product

        I guess I have to agree with you. At least this place seems to be inhabited with people that believe open source is an excuse to neglect work. I pointed out [slashdot.org] a 12 year old bug fixed in the latest Mozilla release and get modded Offtopic. Mozilla developers aren't working for kudos... but damn you if you offer the slightest criticism.

        • It's not just open source: the truth is, windows doesn't have a bug tracker, so you can't see really old bugs.
          Windows 7 won't allow users to open/delete/move/do-anything-else on files with some particular characters in their filename. This bug has existed since DOS, so it's actually around two decades old.

    • by DRJlaw ( 946416 )

      Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

      Embarrassing != Troll.

      There are bugs much older than this in the wild.

      And those projects, whether run as open source or owned by Microsoft or owned by some other closed source shop, should be embarrassed as well. If the bugs are that longstanding, public shaming is probably the only motivation left to drive

      • by amiga3D ( 567632 )

        Really? I mean I guess I'm glad it's fixed but of all the problems this has to be among the most minor. Amnesia over web cookies is right up there with "there is a speck of dust on my shoe lace." Hell it could even be considered a feature.

  • by Anonymous Coward

    How long does a bug take to get resolved? A week? A month? A year?

    You said "decade old" in the title, dumbass!

  • KDE (Score:5, Informative)

    by jones_supa ( 887896 ) on Sunday January 20, 2013 @01:17PM (#42640469)
    Heh, gratz for fixing that one. KDE is the best UNIX DE. Reasonably fast, relatively robust, smooth to use, and very configurable. Lots of nice apps and widgets to play with, too.
    • Do I need a SSD to run it? I run my OS on an old IDE drive (data, not /home on a 160GB one) and have a stack of those if I want to try something different.
      If I want to try it, and PC-BSD 9.1 or Linux Mint 14 KDE should be awesome OSes, I'd like to have the databases enabled (interfaced with whatever IM/mail/contacts/"PDA" stuff) as it's like the main feature of KDE along with kio slaves. But if I invest time into using it (after learning how to disable the animations crap and the tabbed start menu), and it

      • I have tested this. KDE is very responsive with a mechanical hard drive too. It seems to preload a lot of stuff into RAM.
  • by Anonymous Coward

    Restarting KDE every ten years sounds about right.

  • by Anonymous Coward

    https://bugzilla.gnome.org/show_bug.cgi?id=121113

  • by lbbros ( 900904 ) on Sunday January 20, 2013 @01:26PM (#42640519) Homepage
    If you read another developer's response to this commit [kde.org] you will see that the actual feature (reject cross domain cookies) was not affected by this blunder: instead the issue was completely different and only occurred when the KDE daemon was restarted.
  • by hessian ( 467078 ) on Sunday January 20, 2013 @01:32PM (#42640555) Homepage Journal

    People work on problems that are (a) fun to solve and (b) will bring them acclaim.

    Tiny, ugly, boring bugs don't do that and so in many software projects they get overlooked the longest.

  • Déjà vu... (Score:3, Informative)

    by Kelerei ( 2619511 ) on Sunday January 20, 2013 @01:55PM (#42640707)
    ...Slashdot reported on a 25 year old BSD bug being resolved [slashdot.org] back in May 2008.

    And these are just the ones we know about -- there may be yet older bugs (particularly in proprietary, closed-source systems, where the source cannot be reviewed by the general community).
  • by Anonymous Coward

    Don't start asking about the number of decade-plus bugs that exist in Thunderbird. More than I could count on my entire family, or probably even entire workplace teams fingers and toes.

  • by Bananenrepublik ( 49759 ) on Sunday January 20, 2013 @01:58PM (#42640735)

    Sorry to spoil the fun, but the developer who found the bug fixed it "after a few months" according to the check-in comment. The code may have been buggy for a decade, but that doesn't mean that anybody was affected during that time. Once someone was affected (the developer), it was fixed in a much shorter timescale than this article makes you believe.

  • by raymorris ( 2726007 ) on Sunday January 20, 2013 @02:21PM (#42640881) Journal
    Perhaps that means there is still hope that the IE Accept bug, documented sixteen years ago, will eventually get fixed. Microsoft did release a partial workaround after fourteen years.
  • by rudy_wayne ( 414635 ) on Sunday January 20, 2013 @03:05PM (#42641167)

    Just this month, they have fixed bugs that were originally reported in 2000 and 2001.

  • This is not a bug to me
  • How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

    • How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

      If it was proprietary software it would have been EOLed by now. Open source... just keeps getting better. You can't unopen it.

      • by antdude ( 79039 )

        I know, but it is frustrating that no one would fix these bad bugs. :(

        • it is frustrating that no one would fix these bad bugs.

          I guess the bug was not very bad, which you can confirm by RTFA. More to the point: if a bug goes ten years in open source, that's a news item. In proprietary software it's par for the course.

  • I didn't know the Oracle Java development team also worked on KDE.
  • Take a look at this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/128587 [freebsd.org]

    One byte, two years.

    By the way, how can one say FreeBSD a state-of-the-art system, they used *this* installer for twenty years.
    - Hey, we've got a new mirror, let's recompile!

  • by pmontra ( 738736 ) on Sunday January 20, 2013 @05:31PM (#42642193) Homepage

    This makes me hope that 2017 will be the ETA for the fix of this one [mozilla.org] :-)

    Obligatory disclaimer: no, I can't learn a new (for me) language and a new toolchain to fix it. I'll live with the bug as I did for three years.

  • Anyone who has worked on large projects knows that a lot of bugs keep getting punted year after year because they aren't serious, affect very few users etc.

  • has the "ksirtet is no longer in kdegames bug" been ongoing?

  • I reported a bug, which was accepted, in NeXTStep 0.8 or so. Last I checked, it's still in OS X. (LoginWindow won't let you enter control characters as part of a password.)

If you have a procedure with 10 parameters, you probably missed some.

Working...