Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
X Bug GNOME Open Source Security Linux

Jamie Zawinski Calls Cinnamon Screensaver Lock-Bypass Bug 'Unconscionable' (jwz.org) 172

Posted by EditorDavid from the screen-saviors dept.
Legendary programmer Jamie Zawinski has worked on everything from the earliest releases of the Netscape Navigator browser to XEmacs, Mozilla, and, of course, the XScreenSaver project.

Now Slashdot reader e432776 writes: JWZ continues to track issues with screensavers on Linux (since 2004!), and discusses a new bug in cinnamon-screensaver. Long-standing topics like X11, developer interaction, and code licensing all feature. Solutions to these long-standing issues remain elusive.
Jamie titled his blog post "I told you so, 2021 edition": You will recall that in 2004 , which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.

Repeatedly.

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe .

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code...
ZDNet reports that Linux Mint has issued a patch for Cinnamon that fixes the screensaver bug. But HotHardware notes that it was discovered when "one Dad let the kids play with the keyboard. This button-mashing actually crashed the machine's screensaver by sheer luck, allowing them onto the desktop, ultimately leading to the discovery of a high priority security vulnerability for the Linux Mint team."

But that's not the only thing bothering Jamie Zawinski: Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mint-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude...

Mint-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.
This discussion has been archived. No new comments can be posted.

Jamie Zawinski Calls Cinnamon Screensaver Lock-Bypass Bug 'Unconscionable' More

Jamie Zawinski Calls Cinnamon Screensaver Lock-Bypass Bug 'Unconscionable'

Comments Filter:

  • Linux screensavers have always been broken (Score:5, Interesting)

    by thegarbz ( 1787294 ) on Sunday January 17, 2021 @07:43AM (#60954458)

    I've lost count the number of times I found a bug in a Linux screensaver. Also I've lost count of the number of times I've read on how the architecture of X11 makes these bugs trivial to code for and makes it hard to get screen saver blocking functionality right in any kind of a modern system (such as the kind where a user expects to be able to use the volume keys on their device without unlocking the screen).

    Only just before Christmas I found one in Ubuntu (which thankfully wasn't repeatable). I had my screen locked and Ubuntu running in a VM while I was using another program. That program required Ctrl + Alt + F# shortcuts but I also had mouse focus enabled so you can guess straight away what happened, changed the TTY in Ubuntu by accident. So there I am mashing through the F# keys trying to find where X is and ... I'm back at the X desktop, no lock screen to be found. I found it quite curious, and even more curiously while my brain was processing what just happened after about 5-6 seconds the lock screen reappeared and bye bye desktop.

    Not critical but I wouldn't leave you kinky porn open on Ubuntu if your mother is going to jump on the family PC and switch to another TTY.

    • To your homedir porn stash anyway! Ubuntu made those directories accessible to all other users by default for a very long time... https://www.omgubuntu.co.uk/20... [omgubuntu.co.uk]

    • Re:Linux screensavers have always been broken (Score:5, Informative)

      by fleeped ( 1945926 ) on Sunday January 17, 2021 @08:29AM (#60954516)

      Things like that make the average user averse to using Linux for everyday stuff. It does not inspire confidence when things like that break all the time. Yes, wow we get nice fancy procedural screensavers with mazes visualisation etc showing how smart/capable the author is (or I remember that particle system 3d gui once upon a time), and in practice, frequently we end up with bugs like this, or flickery nonsense or other undesired behaviour. About 15-20 years ago, my Linux experience was "alsa drivers broken". 3 years ago I used Linux for work again (ubuntu-xfce), and this time it was "NVIDIA drivers broken and are nightmare, and screensavers are broken". For the average user, because of the lack of polish Linux feels like somebody else's toy project. And given the flamewars about design of various components (GUIs, systemd etc), it's like kids fighting over the shared toy and what it should be like. Not that the other OSes are that great, but it's such as shame wrt adoption, as the openness/flexibility of Linux is incredible

      • >"Things like that make the average user averse to using Linux for everyday stuff. It does not inspire confidence when things like that break all the time."

        No more so than anything else. I see this type of breakage in Android and MS-Windows (and applications) regularly, too. And they have billions of dollars behind them.

        It seems organizations and developers are far more interested in constantly changing and ruining the GUI than they are fixing problems. And many, if not most of the problems are report

        • The rejection of the concept of code convergence: that a body of code can move toward perfection if it is continually improved, is one of the biggest flaws of Open Source. Everybody injects their ego into the code base, adding their warty new code simply because they can, and it draws attention to them.

          • Re:Linux screensavers have always been broken (Score:4, Informative)

            by Immerman ( 2627577 ) on Sunday January 17, 2021 @11:01AM (#60954766)

            That's hardy exclusive to Open Source.

            Of course, OSS doesn't have the profit motive excuse: people won't keep paying for new copies of the same perfect proprietary software, so commercial software companies have to keep making dramatic enough changes to justify people buying the latest version. I suppose the shift to renting mature software helps address that, but also seems to reduce the incentive to address remaining bugs.

            On the other hand, OSS is driven largely by satisfaction and ego, and you most people don't get much of either of those from digging through an old, mature codebase created by other people, looking for the one minor bug that somehow escaped 20 years of development.

            On the third hand, the very concept of perfection is a dubious theoretical construct. I've seen no evidence that such a concept is even meaningful outside of extremely tightly constrained systems. And while a single function may be so tightly constrained, a piece of software serves a real-world purpose which is far more open ended. I mean - imagine the idea that you'd want to allow some keypresses through the screen-locking system to the software its protecting. Once upon a time such a concept would be ridiculous... then some idiot added volume control keys to the keyboard, and people started expecting that they could use those to adjust the volume just as they could with the volume knob on their speakers. Change the context, and you change the shape of "perfection", and the context is always changing.

            • OSS doesn't have the profit motive excuse: people won't keep paying for new copies of the same perfect proprietary software, so commercial software companies have to keep making dramatic enough changes to justify people buying the latest version.

              Increasingly, commercial companies don't have that excuse either, but their software is still shit. A prime example is Windows 10; nobody 'buys' the latest version, it's forced on all users. Yet the UI continues to change such that users are always playing 'Where's Waldo', trying to find stuff that used to be at their fingertips.

              Developers, in both hardware and software, like to change things - it's really that simple.

          • that a body of code can move toward perfection if it is continually improved

            So much stupid in this statement. Continually making changes makes it impossible that you might be moving towards perfection.

            To do that you have to refrain from changes unless you can prove they're improvements. You can then slowly move towards perfection.

            If you're thrashing the code, no matter how much improvement somebody else, like Jamie Zawinski, adds to the code, you'll just thrash it back to crap in an instant. Like in this story.

            • Re: (Score:2)

              by dougmc ( 70836 )

              To do that you have to refrain from changes unless you can prove they're improvements. You can then slowly move towards perfection.

              Ahh yes, the opposite of the systemd philosophy ...

          • The rejection of the concept of code convergence: that a body of code can move toward perfection if it is continually improved, is one of the biggest flaws of Open Source. Everybody injects their ego into the code base, adding their warty new code simply because they can, and it draws attention to them.

            JWZ in fact calls it CADT (cascade of attention deficit teenagers).

        • Re: (Score:2, Informative)

          by TheRealMindChild ( 743925 )
          I see this type of breakage in Android and MS-Windows (and applications) regularly, too

          No you don't

          • One of the 70+ vulnerabilities in Windows this past week:

            I can email you a file, or put it on a web page you visit, and get Administrator access to your system - without the need for you to open the file. More info here:

            https://tech.slashdot.org/comm... [slashdot.org]

            This week's Linux vulnerability:

            If someone has direct physical control of your hardware while you're logged in, they can get user-level access.

            Just curious, are you literate enough in computers to understand the massive difference between me being able to re

        • And they have billions of dollars behind them.

          But no one is going to complain about billion-dollar fuck-ups - they are so much more impressive than Free ones!

          besides, have you ever tried to report a bug to MS?

      • Physical access vs email web sites (Score:4, Informative)

        by raymorris ( 2726007 ) on Sunday January 17, 2021 @11:29AM (#60954818) Journal

        On Wednesday and Thursday I did my monthly presentations on the new Windows vulnerabilities of the month. This month we had yet another version of a doozy that you might find entertaining, though terrifying.

        Windows Defender runs as system and processes files that come into the system before a user interacts with those files. For example files coming in via email. It's important to note this happens when the file is received - no need for the user to open the file. Also you know how on some sites when you click to download a file it takes you to a page that says "your file will start downloading soon", then that page automatically downloads the file? Windows Defender automatically processes the file that the web page is downloading behind the scenes. That makes for some really scary bugs, including a new one this month ....

        When Windows Defender automatically processes these files, with no user interaction, bad guys can code the file to make Windows Defender EXECUTE the files. As System.

        Which means I can completely own your Windows system, getting Administrator access, simply by emailing you a file which you never open. Alternatively, I can put the file on a web page that causes it to download (document.location = evil.exe) and Windows Defender will run the malware. As System (Administrator).

        So ...
        On Windows I can totally own your system just by emailing you a file.
        That's the bug this month, and it's a repeat of the same kind of vulnerability last month or the month before.

        This article covers a Linux bug where someone with direct physical access to your machine could get user level access if you're logged in.

        And you think the Linux one that requires physical access is the scary one?

      • Things like that make the average user averse to using Linux for everyday stuff.

        Hopefully they go the fuck away, their use of the tool ads nothing for the people smart enough to already use xscreensaver.

    • I've lost count the number of times I found a bug in a Linux screensaver. Also I've lost count of the number of times I've read on how the architecture of X11 makes these bugs trivial to code for and makes it hard to get screen saver blocking functionality right in any kind of a modern system (such as the kind where a user expects to be able to use the volume keys on their device without unlocking the screen).

      It isn't that hard. JWZ showed how to do it 30 years ago. The problem is the modern desktop devs ha

      • It isn't that hard. JWZ showed how to do it 30 years ago.

        Keep reading further in my post.. The 30 year old screensaver is okay for a workstation and it does meet all security requirements, but utterly unusable as a modern desktop or laptop where users expect a certain amount of minimum interaction and functionality without unlocking.

        I don't know if Xorg generates an event

        I'm using Wayland because Ubuntu's Xorg drivers for Virtualbox were horribly broken when I installed it, so all bets are off :-)

        • The 30 year old screensaver is okay for a workstation and it does meet all security requirements, but utterly unusable as a modern desktop or laptop where users expect a certain amount of minimum interaction and functionality without unlocking.

          Horse shit. You're saying, "the secure one is secure, users demand not to be secure!"

          I use xscreensaver on a workstation. It works perfectly, because I want security.

          And if you want to fuck with your volume, buy a cheap usb-midi knob and set it to volume. Done. Don't want to spend much money? Buy an AVR attiny-85 for $1 and program it yourself.

    • wouldn't the obvious solution be, to lock the physical box?

      I mean in case of a laptop, close the screen, have the laptop be a physically secure case with panels in front of the ports, and have a physcal lock to open it.
      Or in case of a desktop/tower PC, lock the damn room?

      Because if somebody can enter the room without you in it, and physically access the hardware, what good will a screen lock do you?
      Searching your file system for juicy data takes not much less time than adding a piece of physical hardware in

      • wouldn't the obvious solution be, to lock the physical box?

        Did you only the first sentence of my post when you came up with the solution, because you just utterly failed the requirements in the second sentence. I mean you achieved great security for people who use their computer like they did in the 90s but as usual you're solutions are impractical and don't even remotely meet use cases as you over and over again completely fail to understand the purpose and use requirements of end users in every one of your posts.

  • Yeah, I've had even xscreensaver segfault and just GO AWAY rather than, I dunno, recover and restart. Just leaves the screen completely unlocked. To the point where coworkers who share an office would IM me to ask if I left my workstation unlocked on purpose.

    • Jamie Zawinski, I feel your pain. (Score:4, Insightful)

      by Brain-Fu ( 1274756 ) on Sunday January 17, 2021 @01:01PM (#60955092) Homepage Journal

      Everybody knows that people make mistakes and bugs happen. But, the upshot of this summary is that there is a difference here, and it matters. These bugs aren't ordinary "oops, type-o, here I'll fix it" kinds of bugs. They are re-introductions of problems that were solved long, long ago, and they were re-introduced because people in a position of senior level responsibility acted lazily and thoughtlessly precisely in a domain in which it was thier responsibility to act with diligence and intelligence. They had everything they needed to fix every one of these bugs before they were written. The correct design would have made the bugs impossible, so that when less experienced developers made the kinds of human mistakes that everyone makes, this harmful side-effect still would not have happened.

      I have seen this many times in my professional career. I build something foundational to a system architecture, with design patterns put in place to prevent entire classes of bugs from being possible, and I document it all out along with clear instructions on how to extend the system and what kind of testing is necessary, then hand it off to other supposedly senior-level developers who decide they just can't be arsed into bothering with any of that. They throw the instructions straight in the trash and code lazily, and then clients suffer from problem after problem that never needed to happen.

      It gets really frustrating. This is why senior-level experienced programmers sometimes turn into tyrants, micro-managing everything and adamantly insisting that everything be done their way. Nobody likes working with people like that, but they became like that because of all the people THEY had to work with that screwed up their good designs out of pure sloth.

      • Re: (Score:2)

        by nagora ( 177841 )

        The fundamental problem of software is the ability of programmers to know what has already been solved and haven't the time to find out let alone keep up with progress. The field is huge and it is not possible to teach enough in an undergraduate course to avoid stuff like this - even if all coding was done by people with degrees, which it isn't (I don't have a degree and I've been a professional coder for 35 years).

        I don't have a solution but I'm sure this is the biggest problem our industry faces and the c

        • True. I'm working on a moderately old codebase (~10 years old) and every time I see some code that looks utterly stupid to me (and I see a lot of it), I wonder if the code is actually stupid or if there's a reason for it that I do not understand.

          And I then go check the git log to find the reason. The vast majority of the time, it's indeed stupidity, but I don't fool myself in thinking that if I don't see a reasoning, there's no reasoning.

  • Yes Linux will be 30 years old soon and still a joke on the desktop. I’ve been trying since 2001, but i’d rather put up with Windows 10’s forced reboots than some of the shenanigans with Linux. Gnome still can’t fix their file picker either and it has become an internet meme.

    • Re:30 years! (Score:5, Interesting)

      by StormReaver ( 59959 ) on Sunday January 17, 2021 @08:43AM (#60954528)

      GNOME was the reason I switched to KDE back in the 1990's. KDE went something like:

      1) KDE 1 was really cool, and a huge step up from every other Linux desktop environment. Still missing a lot compared to Windows, but it was very useable.
      2) KDE 2 made large strides forward from KDE 1. There were tons of improvements from KDE 1. There wasn't much missing from the desktop compared to Windows, and the newly added features were exciting.
      3) KDE 3 came about and made huge leaps and bounds over KDE 2. More exciting features, and it wasn't missing much that I wanted. About the only thing that really sucked that I really wanted was reliable USB support. Most everything else was heads and shoulders better than Windows (true window transparency being the most popular wish-list item, but that was an XFree86 failing).
      4) KDE 4 redesigned everything, and was KDE's true breakthrough. Plasma was a stroke of genius. Reliable external device detection became a reality (I think systemd was responsible for this).
      5) Somewhere in the KDE 4 design timeframe, though, GINORMOUS design blunders started to be introduced. Akonadi destroyed KDE PIM, and Dolphin started the inexorable demise of the KDE file manager. Konqueror, which had been the most useful file manager I had ever used, started to lose critical file management features.

      I still use Kubuntu as my desktop of choice, as it is still a very pleasant desktop despite the shortcomings in item 5. And I find Windows 10 to be an unbearably painful user experience. Windows 10 is the quentessential bad joke with a terrible punchline.

      • Re:30 years! (Score:5, Insightful)

        by benjymouse ( 756774 ) on Sunday January 17, 2021 @09:11AM (#60954572)

        And yet Windows has since the very first Windows NT done this right: The lock screen / log-in screen runs on a separate "desktop". If the process crashes you are left with an empty desktop, not back to the user desktop. The "attention key" (ctrl-alt-delete) will relaunch the sign-in process.

        Even the "elevation prompt" (introduced with Vista/Server 2003) by default uses a separate desktop to prevent "shatter attacks". Processes on the user desktop cannot send messages to, track mouse movements or otherwise control windows on the separate elevation prompt desktop, simply because they run on separate desktops.

        Designing a lock screen which only obscures the other windows will cause *any* process crash to bypass the lock screen. That's why the original design of XScreenSaver tried to *minimize* dependencies. But it is still inherently insecure. Sometimes unplugging/switching monitors can cause overflows which will crash the process when rescaling.

      • I still use Krusader even though I recently moved to Gnome from KDE.

      • On Linux, I find xfce suits me. I never got on with KDE after version 1. I found it had too much of the design-by-committee feel. That said, I've gradually warmed to Windows 10, and tend to use it as my daily desktop. (Music is a hobby, and a suitably pimped Mac Pro is out of my budget range, I've got a decent music workstation, naturally running Win10 -- Linux is a third world experience when it comes to music -- I loved how Pianoteq would run with low latency on an old laptop, embarrassing Windows at the

    • >"Gnome still canâ(TM)t fix their file picker either and it has become an internet meme."

      Gnome is not "Linux." I ditched Gnome forever ago when they decided that users were the enemy.

      • >"Gnome still canâ(TM)t fix their file picker either and it has become an internet meme."

        Gnome is not "Linux." I ditched Gnome forever ago when they decided that users were the enemy.

        I think it's even worse than this. It's the same thing exactly as Google. Their users aren't the enemy. They aren't a friend. They are something completely indifferent to them that was an intermediate goal which got them where they are and now they have cooler friends so they never expect to come back. Why repay the favours?

        When Gnome decided to completely change their interfaces and design, all they had to do was rename libraries so that people could keep using all the old stuff compatibly. Put it into mai

        • Thankfully, though, they ensured that I can target Gtk 2 and my apps will remain compatible *forever*. Of course, I have to plug in my own security, and various things, but that's fine; it is under my control. The namespace is safe to use.

      • I'd sooner go back to fvwm than accept needless change.

        Appers app, jesters laugh, neckbeards snort, but I'm still using my tools, I can still get all my work done.

    • Re: (Score:2)

      by B'Trey ( 111263 )

      Yes Linux will be 30 years old soon and still a joke on the desktop. I’ve been trying since 2001, but i’d rather put up with Windows 10’s forced reboots than some of the shenanigans with Linux. Gnome still can’t fix their file picker either and it has become an internet meme.

      Oh horse feathers. Linux is a joke only to the extent that all operating systems are a joke. The Gnome file picker is a meme? How long has the BSOD been a meme? Yes, there are things about Linux that are broken and infuriating. There are things about Windows and macOS that are broken and infuriating as well. They are different things, but there are just as many of them. If you like Windows, it's probably just because you're more familiar with it and more knowledgeable in how to work around its quirks and li

    • The real joke is that there are still.people who do not realize that The Desktop itself if a skeuomorphic joke born out of abusing the Mother Of All Demos to attract businessmen.

      It was never a good fit for computer work.
      Combine scripting (Python, bash, ...) with graphical output (data tiles), a Plan-9-like universal file system / protocol / data format, and an event manager (init+cron+dbus+shortcuts, etc), and you got a vastly superior interface.
      But frankly, a perfect computer would have no interface becaus

      • Re: (Score:2)

        by deKernel ( 65640 )

        I have heard this argument time and time again, and I just don't believe that the Desktop paradigm is bad. Let me step through just what and why the concept of a virtual Desktop makes perfect sense. I sit at a desk to do work, and what does a desk have....yup, a desktop. On my virtual desktop, I have 5 or so icons that represent the applications I use regardless of what projects I am workng on: browser, email, password manager and such. Now I keep my actual desk clean and tiddy so I only have folders that h

    • This gets at a thing that really frustrates me about computing, and the big example that sticks out for me is: There's basically nothing that I do on a computer today that I couldn't have done fine on Windows 2000. However, instead of spending the intervening years on making Windows 2000 clean and stable and secure and problem-free, they keep reskinning it and making it more complicated, more confusing, and harder to control.

      Just quit it with the marketing and UI redesigns for a couple of years. Instead,

      • ... instead of spending the intervening years on making Windows 2000 clean and stable and secure and problem-free, they keep reskinning it and making it more complicated, more confusing, and harder to control ... constantly rejiggering their UIs rather than fixing long-standing important problems

        I said it in a comment I made earlier, and it bears repeating here: "Developers, in both hardware and software, like to change things - it's really that simple." Very few people are interested in maintaining and tweaking an existing design, especially among those smart enough and creative enough to be solving software problems in the first place. That's why people change things when and where change is not needed, or is even detrimental. It's part of the same aspect of human nature that gave us tools, autom

    • Re: (Score:3)

      by nagora ( 177841 )

      Yes Linux will be 30 years old soon and still a joke on the desktop. I’ve been trying since 2001, but i’d rather put up with Windows 10’s forced reboots than some of the shenanigans with Linux.

      Well, my wife and I have used Linux on the desktop for decades now and through the whole of that time it has been better that Windows-of-the-Week.

      • My wife doesn't even know what Linux and Windows are, but she knows that at work Excel is called Excel, and on her laptop it is called LibreOffice.

    • Re: (Score:2)

      by caseih ( 160668 )

      That's funny. I abandoned Windows decades ago for the same reasons. I've used Linux on the desktop for over 20 years. I'd rather put up with its shenanigans than the stuff I've seen people put up with with Windows. Granted I've never used Gnome 3.

  • After reading his advice I'm unconvinced (Score:3)

    by BytePusher ( 209961 ) on Sunday January 17, 2021 @08:27AM (#60954508) Homepage
    After reading his advice and design recommendations, I am unconvinced that his design is correct. His concern about external libraries is totally valid, but why not launch the unlock dialogue in a separate process and have it communicate with XScreenSaver over a local socket? Additional layers of security can be added, chroot, VM, one time key(generate a key when launching the password UI, passed in by pipe, unlocking requires the password and the one time key). I'm shocked in 2021 this isn't solved. UI code, even XLib, should not be in the security loop.
    • This entire issue is obsolete along with X. New versions of Gnome no longer use gnome-screensaver, instead screen locking is implemented in GDM, the display manager responsible for starting user sessions. There is no chance to escape to user's session by crashing lock screen because everything is controlled by GDM and if GDM crashes entire session is immediately terminated.

    • Re: (Score:2, Troll)

      by Aighearach ( 97333 )

      After reading his advice and design recommendations, I am unconvinced that his design is correct. His concern about external libraries is totally valid, but why not launch the unlock dialogue in a separate process and have it communicate with XScreenSaver over a local socket? Additional layers of security can be added, chroot, VM, one time key(generate a key when launching the password UI, passed in by pipe, unlocking requires the password and the one time key).

      I'm shocked in 2021 this isn't solved. UI code, even XLib, should not be in the security loop.

      You don't imagine that all this is already discussed by him, and it is been vetted by "everybody."

      He's 100% correct about the security, this was all hashed out in detail by the community in the past.

      It is just idiot kids who presume, "what's all this stuff? Must not matter!" and want to change it. Then they wave their hands at the hard parts, and say, "looks easy to me!" They don't realize they're standing on top of the Dunning-Kruger Peak.

      Security is hard. When you get to:

      After reading his advice and design recommendations, I am unconvinced that his design is correct.

      just STFU and read another 10k wo

  • My son was playing with my keyboard and watching the windup robots and eventually crashed the screensaver to my desktop. However, I'm running pure xscreensaver on Gentoo. I briefly looked into it at the time but didn't figure anything out. Seeing this again, is there some kind of fix for this that I'm not aware of?

  • I guess this isn't the year of Linux on the Desktop...

  • Improper relicensing (Score:5, Insightful)

    by mysidia ( 191772 ) on Sunday January 17, 2021 @09:22AM (#60954604)

    authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead

    BSD licensed code is compatible to be used in the same software as GPL-licensed code - People can license a piece of software under GPL that includes BSD licensed source code, and that's fine, BUT some developers seem to also have the completely False/Mistaken notion that something permits them to just freely change the license headers or copy+paste BSD-licensed code into a source file with GPL licensed headers without the license and copyright statements.

    Including BSD-licensed code in your GPL software can happen, but you must include the BSD license unmodified with its terms and all copyright statements - Removing or modifying the BSD license or authors text or modifying the copyright statement to GPL without including the BSD license Aren't authorised by the BSD license and would be infringement.

    • Re: (Score:2)

      by caseih ( 160668 )

      Interesting. Turns out to be a surprisingly sticky issue. Could one simply say portions of this project were licensed under the BSD, copyright the original authors and the derivative project is under the GPL? Certainly keeping the parts separated and clearly identified would be impossible. I translated a MIT-licensed program from C# to C++, and the resulting project was then released as GPLv3. Clearly that's a derivative program with large amounts of code copy and pasted, but then the syntax changed slig

      • Re: (Score:3)

        by mysidia ( 191772 )

        As I understand the various BSD licenses, they make no promise about access to the original, BSD-licensed source code

        That is true, but conditions still apply to any Source code or Binaries which are distributed. It's the first condition or restriction the license contains about redistributing code.

        Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

        So redistribution with modifications is fine, but that copyright notice cannot be

    • Re: (Score:2)

      by hrieke ( 126185 )

      This.
      Just like homework or Wikipedia, cite your sources (who, what, where, when, why), do not short hand your license (SPDX is okay, but when you say it's a BSD licensed code, which license? BSD Zero [opensource.org], BSD One [spdx.org], BSD Che Guevarra parafernalia license [github.com], BSD with patent provisions (Facebook's [github.com] or Google's [github.com])?, 2-Clause, 3-Clause, 4-Clause [spdx.org]?

  • Nobody has been using screensavers since CRT displays went the way of the dodo, why is so important that Linux distros have them?

    • The screensaver program is also the program that manages screen locking, which people do still use — for example when a computer in a shared environment is performing a long-running task, and they want to walk away from it.

    • Everybody wants to go to the festival but no one wants to pick up the trash.

      I remove xscreensaver as it does nothing useful for me but I'm the sole user of my systems.

    • Re: (Score:2)

      by dougmc ( 70836 )

      Nobody has been using screensavers since CRT displays went the way of the dodo

      This is utterly incorrect.

      1. For starters, modern display hardware can still experience burn-in [wikipedia.org].
      2. Many situations still require a lock screen, such as a corporate environment with security concerns or a home where somebody doesn't want their wife to stumble upon their massive "Rule 34" collection.
      3. And plenty of people like the pretty pictures that screensavers can display.

      • Re: (Score:2)

        by jonwil ( 467024 )

        Why would you use a screensaver rather than having power management turn off the screen completly if the goal is to prevent burn-in? (something that basically any mainstream computer monitor/lap top/all-in-one made in the last decade is going to support and that any modern OS including most Linux distros can activate)

        I bet you can even have it activate power management AND the lock at the same time...

        • Re: (Score:3)

          by spitzak ( 4019 )

          It does exactly what you are asking for. The program is called a "screensaver" for historical reasons. Nowadays it's primary purpose is to *lock* the screen. It also can display some animation and eventually trigger the screen power-off.

  • Funny where I work we just have computers that aren't on the network and we use big fing locks on the building doors.

    Machines are left unlocked and if the password is required we all use the generic one that everybody knows.

    You know similar to how Dennis Ritchie, Stallman, and others from back in the day did it. They knew security was a joke so they didn't try.

    Share instead.

  • Then he could sue anyone who coded it.

  • Installed Mint 20 XFCE on a re-used machine last month. Screensaver does not play nice with display timeout. Removed screensaver. Problem solved.

  • Even though the code is there, people don't audit it enough and it's that much harder for a small non-profit to audit complex projects that change a lot. They can't afford the some level of quality control even though they may gain for other aspects of being less bloated/commercialized. You basically need a seperate code audit team/service checking everybody's work. It's even more important at this stage of computing when demand for new features has gone down vs stability,usability and security. Refining th

    • How do you audit for code theft, like the specific example of taking BSD code from somewhere and snorfelling it in while removing the license and credit?

      Most teams rely on honesty as some point.

      • Most teams rely on honesty as some point.

        If you reply on honesty, you should take it seriously when someone isnt being honest.

        The "programmer" should be banned from all GPL projects for lying about code he put under the GPL, a lie that violated the one thing you say is relied upon, and is clearly an offense so unacceptable that the offender cannot be allowed to do it again, yes?

        Consider the following. You contribute to open source project GPL X. In the course of your contributing, another contributor turned you into a copyright violator, maki

  • and i say that as as a software programmer

    we have no code of conduct. We have no way to learn from past mistakes. Yeah right, TDD and all that jazz. Until we're as strict about that as surgeons are, we're just toying around.

    We write the code that runs the goddamn world... yet we code like absolute incompetents.

    "screensaver" ? What the fuck? Why does this even _exist_ ?

    I installed linux today, after 15 years, after having windows 10 trash the gpu drivers twice in one week. I chose kubuntu. I'm not gonna spen

  • Does xfce4-screensaver have the same problem?

  • Is to keep your cats from typing stuff when you're AFK. As long as the system is too difficult for a cat to hack intentionally, it's pretty secure.

  • Fuzz testing should be a mandatory part of any QA, and not doing it on security software should be regarded as criminal negligence. It's shocking how much software out there can't pass this simple test.

Slashdot Top Deals

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Close