[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-mac
Subject: Re: [KDE/Mac] Review Request 120431: Fix and future-proof Dr Konqi security methods on Bugzilla
From: "Ben Cooksley" <bcooksley () kde ! org>
Date: 2014-10-07 23:53:38
Message-ID: 20141007235338.10360.20851 () probe ! kde ! org
[Download RAW message or body]
--===============6573564413748332374==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
> On Oct. 7, 2014, 1:13 p.m., Thomas LĂĽbking wrote:
> > My 2 ˘
> > Bugzilla will require an update anyway and that means at some point it'll be \
> > (then "silently") broken in KDE SC4 again and somebody has to step up and fix it \
> > with another patch. In the meantime we've diverging codebases for KDE 4 & 5 - \
> > meh.
> > I agree with Albert that this patch looks a bit scaringly complex (at least \
> > compared to Frédéric's patch), but believe that the complexity can be vastly \
> > reduced and like a forward compatible and 4+5 common patch better.
>
> Albert Astals Cid wrote:
> You have a point here, if it's possible that Frédéric's patch gets broken in the \
> timeframe we still have users around using kde-runtime4 then that would be a good \
> reason to use this patch. I'd appreciate an assesment on how much more future-proof \
> this patch is versus Frédéric's one.
> Thomas LĂĽbking wrote:
> Afaiu it will "break" when the bugzilla server upgrades to 5.0 (the token security \
> model will be dropped) but I could not find a schedule for future bugzilla releases \
> (nor know about bugs.kde.org update policy)
> -> Ben?
>
> If "users around using kde-runtime4" is the critical condition, this seems a likely \
> threat, though (given eg. RHEL lifetimes - RHEL7 extended support ends 2027 ;-)
bugs.kde.org is updated when it becomes necessary (security issues) or when someone \
gets around to deploying the latest release. There isn't really a schedule as such. \
Based on the above comment, i'd suggest making Dr Konqi as capable as possible - \
although do remember that we probably don't want to receive bug reports from \
extremely old versions of our software, even if RHEL is supporting it.
- Ben
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/120431/#review68051
-----------------------------------------------------------
On Oct. 7, 2014, 7:42 a.m., Ian Wadham wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/120431/
> -----------------------------------------------------------
>
> (Updated Oct. 7, 2014, 7:42 a.m.)
>
>
> Review request for KDE Software on Mac OS X, KDE Runtime, Ben Cooksley, DarĂo \
> AndrĂ©s RodrĂguez, George Kiagiadakis, Jekyll Wu, and Matthias Fuchs.
>
> Bugs: 337742
> http://bugs.kde.org/show_bug.cgi?id=337742
>
>
> Repository: kde-runtime
>
>
> Description
> -------
>
> When bugs.kde.org changed over to Bugzilla 4.4.5 in July 2014, the security method \
> used by Bugzilla changed from cookies to tokens that had to be supplied as \
> parameters with every secure remote-procedure call. Further changes to security \
> methods have been announced by Bugzilla and are documented for unstable 4.5.x \
> versions of Bugzilla software. Tokens will be deprecated and then discontinued. \
> When this happens, Dr Konqi will need to supply a user-login name and a password \
> with every secure remote-procedure call. Furthermore, the traditional "User.login" \
> call presently used by Dr Konqi will be deprecated and discontinued.
> This patch fixes the tokens problem, which has given rise to several bug reports \
> https://bugs.kde.org/show_bug.cgi?id=337742 and duplicates. It also provides for \
> automatic switching to passwords-only security as and when the Bugzilla version \
> changes again. This uses a general data-driven approach which can be easily \
> updated, ahead of time, next time Bugzilla announces a change that affects Dr \
> Konqi, whether it be in security methods or some other feature.
> NOTES:
> 1. This patch is intended to be forward-portable to Frameworks/KF5, but I work on \
> Apple OS X, where it is not yet possible to run Frameworks/KF5 and do the porting \
> and testing. So could someone else please do it? 2. Another Review Request \
> https://git.reviewboard.kde.org/r/120376/ addresses the tokens issue only, but it \
> should be reviewed and shipped as a matter of urgency, both in KDE 4 and \
> Frameworks, the next bug-fixing release for KDE 4.14 being due for tagging on \
> Thursday, 9 October. That will leave more time for this review (120431) of my more \
> long-term and more general patch. 3. The passwords-only part of my patch is \
> currently storing the password in clear. Suggestions re encryption are welcomed --- \
> or the code could be changed to make use of KWalletD mandatory (but that might not \
> be fully portable to all platforms). 4. When the Bugzilla call "User.login" is \
> discontinued, some re-sequencing of the flow of KAssistantDialog pages will be \
> needed. I have not attempted to do that at this stage. Probably the entry of the \
> user name and password should be delayed until the report has been accepted by the \
> Dr Konqi logic and it is just about to be sent to bugs.kde.org or attached to an \
> existing bug report.
> REFERENCES:
> http://www.bugzilla.org/docs/
> http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService.html#LOGGING_IN \
> Bugzilla 4.5.x (future) API doco re security \
> http://www.bugzilla.org/docs/4.4/en/html/api/Bugzilla/WebService.html#LOGGING_IN \
> Bugzilla 4.4.5 (current) API doco re security \
> http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/User.html#login \
> User.login will be DEPRECATED in 4.5.x
>
> Diffs
> -----
>
> drkonqi/bugzillalib.h 570169b
> drkonqi/bugzillalib.cpp f74753c
> drkonqi/reportassistantpages_bugzilla.h b7af5b8
> drkonqi/reportassistantpages_bugzilla.cpp 22183f0
>
> Diff: https://git.reviewboard.kde.org/r/120431/diff/
>
>
> Testing
> -------
>
> Used the bugstest.kde.org database and KDE 4 master on KDE/kde-runtime repository.
>
> Tested a range of version numbers (see commented-out test data) against a range of \
> 5 or 6 hypothetical and real Bugzilla versions at which things could or will \
> change. This was to test the basic version-checking and feature-choosing algorithm. \
> Tested submitting both full reports and attached reports, using both the token \
> method and the passwords-only method.
> Also tested with KWalletD supplying the username and password on Dr Konqi's login \
> dialog.
>
> Thanks,
>
> Ian Wadham
>
>
--===============6573564413748332374==
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit
<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="12" style="border: 1px #c9c399 \
solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;"> \
<tr> <td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://git.reviewboard.kde.org/r/120431/">https://git.reviewboard.kde.org/r/120431/</a>
</td>
</tr>
</table>
<br />
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: \
10px;"> <p style="margin-top: 0;">On October 7th, 2014, 1:13 p.m. UTC, <b>Thomas \
LĂĽbking</b> wrote:</p> <blockquote style="margin-left: 1em; border-left: 2px solid \
#d0d0d0; padding-left: 10px;"> <pre style="white-space: pre-wrap; white-space: \
-moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: \
break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: \
inherit;white-space: inherit;">My 2 ˘ Bugzilla will require an update anyway and that \
means at some point it'll be (then "silently") broken in KDE SC4 again and somebody \
has to step up and fix it with another patch. In the meantime we've diverging \
codebases for KDE 4 & 5 - meh.</p> <p style="padding: 0;text-rendering: \
inherit;margin: 0;line-height: inherit;white-space: inherit;">I agree with Albert \
that this patch looks a bit scaringly complex (at least compared to Frédéric's \
patch), but believe that the complexity can be vastly reduced and like a forward \
compatible and 4+5 common patch better.</p></pre> </blockquote>
<p>On October 7th, 2014, 6:16 p.m. UTC, <b>Albert Astals Cid</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: \
10px;"> <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: \
-pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: \
0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">You \
have a point here, if it's possible that Frédéric's patch gets broken in the \
timeframe we still have users around using kde-runtime4 then that would be a good \
reason to use this patch. I'd appreciate an assesment on how much more future-proof \
this patch is versus Frédéric's one.</p></pre> </blockquote>
<p>On October 7th, 2014, 8:56 p.m. UTC, <b>Thomas LĂĽbking</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: \
10px;"> <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: \
-pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: \
0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Afaiu \
it will "break" when the bugzilla server upgrades to 5.0 (the token security model \
will be dropped) but I could not find a schedule for future bugzilla releases (nor \
know about bugs.kde.org update policy)</p> <p style="padding: 0;text-rendering: \
inherit;margin: 0;line-height: inherit;white-space: inherit;">-> Ben?</p> <p \
style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: \
inherit;">If "users around using kde-runtime4" is the critical condition, this seems \
a likely threat, though (given eg. RHEL lifetimes - RHEL7 extended support ends 2027 \
;-)</p></pre> </blockquote>
</blockquote>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: \
-pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: \
0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: \
inherit;">bugs.kde.org is updated when it becomes necessary (security issues) or when \
someone gets around to deploying the latest release. There isn't really a schedule as \
such. Based on the above comment, i'd suggest making Dr Konqi as capable as possible \
- although do remember that we probably don't want to receive bug reports from \
extremely old versions of our software, even if RHEL is supporting it.</p></pre> <br \
/>
<p>- Ben</p>
<br />
<p>On October 7th, 2014, 7:42 a.m. UTC, Ian Wadham wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="12" style="border: \
1px #888a85 solid; border-radius: 6px; -moz-border-radius: 6px; \
-webkit-border-radius: 6px;"> <tr>
<td>
<div>Review request for KDE Software on Mac OS X, KDE Runtime, Ben Cooksley, DarĂo \
AndrĂ©s RodrĂguez, George Kiagiadakis, Jekyll Wu, and Matthias Fuchs.</div> <div>By \
Ian Wadham.</div>
<p style="color: grey;"><i>Updated Oct. 7, 2014, 7:42 a.m.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Bugs: </b>
<a href="http://bugs.kde.org/show_bug.cgi?id=337742">337742</a>
</div>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
kde-runtime
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" \
style="border: 1px solid #b8b5a0"> <tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: \
-moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: \
break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: \
inherit;white-space: inherit;">When bugs.kde.org changed over to Bugzilla 4.4.5 in \
July 2014, the security method used by Bugzilla changed from cookies to tokens that \
had to be supplied as parameters with every secure remote-procedure call. Further \
changes to security methods have been announced by Bugzilla and are documented for \
unstable 4.5.x versions of Bugzilla software. Tokens will be deprecated and then \
discontinued. When this happens, Dr Konqi will need to supply a user-login name and a \
password with every secure remote-procedure call. Furthermore, the traditional \
"User.login" call presently used by Dr Konqi will be deprecated and discontinued.</p> \
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: \
inherit;white-space: inherit;">This patch fixes the tokens problem, which has given \
rise to several bug reports https://bugs.kde.org/show_bug.cgi?id=337742 and \
duplicates. It also provides for automatic switching to passwords-only security as \
and when the Bugzilla version changes again. This uses a general data-driven approach \
which can be easily updated, ahead of time, next time Bugzilla announces a change \
that affects Dr Konqi, whether it be in security methods or some other feature.</p> \
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: \
inherit;white-space: inherit;">NOTES: 1. This patch is intended to be \
forward-portable to Frameworks/KF5, but I work on Apple OS X, where it is not yet \
possible to run Frameworks/KF5 and do the porting and testing. So could someone else \
please do it? 2. Another Review Request https://git.reviewboard.kde.org/r/120376/ \
addresses the tokens issue only, but it should be reviewed and shipped as a matter of \
urgency, both in KDE 4 and Frameworks, the next bug-fixing release for KDE 4.14 being \
due for tagging on Thursday, 9 October. That will leave more time for this review \
(120431) of my more long-term and more general patch. 3. The passwords-only part of \
my patch is currently storing the password in clear. Suggestions re encryption are \
welcomed --- or the code could be changed to make use of KWalletD mandatory (but that \
might not be fully portable to all platforms). 4. When the Bugzilla call "User.login" \
is discontinued, some re-sequencing of the flow of KAssistantDialog pages will be \
needed. I have not attempted to do that at this stage. Probably the entry of the user \
name and password should be delayed until the report has been accepted by the Dr \
Konqi logic and it is just about to be sent to bugs.kde.org or attached to an \
existing bug report.</p> <p style="padding: 0;text-rendering: inherit;margin: \
0;line-height: inherit;white-space: inherit;">REFERENCES: \
http://www.bugzilla.org/docs/ \
http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService.html#LOGGING_IN \
Bugzilla 4.5.x (future) API doco re security \
http://www.bugzilla.org/docs/4.4/en/html/api/Bugzilla/WebService.html#LOGGING_IN \
Bugzilla 4.4.5 (current) API doco re security \
http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/User.html#login \
User.login will be DEPRECATED in 4.5.x</p></pre> </td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: \
1px solid #b8b5a0"> <tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: \
-moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: \
break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: \
inherit;white-space: inherit;">Used the bugstest.kde.org database and KDE 4 master on \
KDE/kde-runtime repository.</p> <p style="padding: 0;text-rendering: inherit;margin: \
0;line-height: inherit;white-space: inherit;">Tested a range of version numbers (see \
commented-out test data) against a range of 5 or 6 hypothetical and real Bugzilla \
versions at which things could or will change. This was to test the basic \
version-checking and feature-choosing algorithm.</p> <p style="padding: \
0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: \
inherit;">Tested submitting both full reports and attached reports, using both the \
token method and the passwords-only method.</p> <p style="padding: 0;text-rendering: \
inherit;margin: 0;line-height: inherit;white-space: inherit;">Also tested with \
KWalletD supplying the username and password on Dr Konqi's login dialog.</p></pre> \
</td> </tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>drkonqi/bugzillalib.h <span style="color: grey">(570169b)</span></li>
<li>drkonqi/bugzillalib.cpp <span style="color: grey">(f74753c)</span></li>
<li>drkonqi/reportassistantpages_bugzilla.h <span style="color: \
grey">(b7af5b8)</span></li>
<li>drkonqi/reportassistantpages_bugzilla.cpp <span style="color: \
grey">(22183f0)</span></li>
</ul>
<p><a href="https://git.reviewboard.kde.org/r/120431/diff/" style="margin-left: \
3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>
--===============6573564413748332374==--
_______________________________________________
kde-mac@kde.org
List Information: https://mail.kde.org/mailman/listinfo/kde-mac
KDE/Mac Information: http://community.kde.org/Mac
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic