java not working

[Xen]

Ralf Mardorf schreef op 17-03-2017 13:43:

> That is how my Arch Linux does look like right now [1].

I cannot interpret that.

> For example, you still could compile Claws-Mail with the fancy plugin
> [2], but since webkit is critical and nobody will fix it, Arch a 
> rolling
> release distro, already dropped it. You should expect that Ubuntu will
> do the same.

You cannot seriously argue that, if this is some important email client, 
that the security issues surrounding the viewing of HTML emails dwarfs 
the usability concerns with regards to _being able to read them_ in the 
first place.

In other words, you might as well argue that browsers should drop HTML 
because it is too vulerable. There is a point where functionality is 
important enough to warrant the work. And of course the work has to be 
done by someone, that is not the point. All of the things you *DO* agree 
with also have to be done by someone. That is no different here.

Webkit, I do not know how webkit is being developed, Obviously both 
Opera and Chrome and also Safari make use of it. I would suspect there 
would be enough developer potential there. No, I do not want to argue my 
point here completely, I just wanted to give my opinion.

But I just feel these decisions are not made for technical reasons, but 
rather moral reasons, in the sense of _deciding for other people_, not 
for the developers themselves or their time. I could even say that many 
of the failures in the modern world result from people _deciding for 
other people_ but let's not get into that.

And I also do not want to make a topic out of this, but the recent 
announcement that PowerPC architecture would be dropped was met some 
time ago by a message on ubuntu-discuss by basically the most important 
PowerPC maintainer _who was not consulted_ for this decision at all.

His name was Ben Collins and the message was on 22 december of 2016.

He wrote:

"I’m completely surprised that the TB did not reach out to an Ubuntu 
Core
Dev who is also the owner of the Ubuntu PowerPC architecture team, (...)
before making this decision. (...) I’m a bit disappointed by this 
decision,
especially when you did not, in any way, reach out to one of the most 
prominent
participants in the Ubuntu PowerPC community. (...)".

So no, I absolutely do not believe such decisions or decisions like them 
are based purely on technical grounds as you say. I do not wish to 
instigate trouble here, but it is just an example, nothing more, of how 
decisions that can appear to be based on technical difficulties or human 
resources problems are, in fact, often just political of whatever kind.

In the case of security, this political motivation is telling other 
people how to behave and how to live.

Thank you.



> If you never was affected, then because upstream developers as
> well as security teams [3], take care for you [4] and fix issues, by
> either providing security upgrades or by dropping stuff nobody is
> willing to continue maintaining.

That's the same reason I was able to use the software in the first 
place. Someone did the work. Now security is part of that, if we want no 
security issues at all, we should stop making software. Making software 
involves dealing with problems. You cannot argue in full that every 
feature that causes trouble needs to be dropped.

> Firefox isn't webkit based, but it suffers from vulnerabilities,
> too. Somebody needs to maintain firefox to get rid of vulnerabilities.
> If some mechanisms make this maintenance more or less impossible, it's
> wise to remove those mechanisms.

Only if those vulnerabilities are actually a threat. I have used for 
many years software that had these vulnerabilities and yet I was never 
infected. I do not install malware at least not on purpose or while 
knowing I run a risk (hence the sandboxing desire or requirement for me) 
and if I do run that risk I knowingly do so, and I never encountered a 
website that I know of that was able to infect or infiltrate my systems 
to my conscious knowing.

Typically when Java is fired up for instance, you see a little icon 
appear in the lower right corner. This tells me that the number of 
websites I have encountered that surreptitiously activated Java is 
simply zero. It has never happened to me.

I am saying that many security vulnerabilities result from misuse, or, 
of course, extremely vulnerable software such as Microsoft products 
(Office, IE, etc.) that allow for scripting, true.

A recent acquiantance here uses a website scanning engine to stay safe. 
I do not know if she uses Ubuntu while doing that but to my personal 
understanding, and I don't mean to insult anyone here, least of all you, 
girl, I just could not infect my system if I did it on purpose.

I have just been long annoyed by the misleading language that the 
browser designers use for security threats. People that do not know are 
panicking from every single message the browser sends them of every 
security threat, and they are 99% of the time false positives, which 
leads to the well known "desensitisation". "Your connection is not 
protected". I'm sorry, but a regular connection isn't either, and just 
because some encryption scheme fails to verify completely, doesn't mean 
that now suddenly my systems are increasingly at risk because some AD 
fails to load through an encrypted channel that is also verified.

Everything uses https these days, almost everything, so even the 
smallest image not loading successfully over SSL/TLS will give you a 
security warning.

This is too much nervousness for my feeling, it makes people unnerved 
and doesn't really inform them, so they cannot really assess the 
security risks themselves without knowing more, it is bad education and 
I just feel it is doing them a disservice. Botnets, sure, they are 
dangerous, and keyloggers even more so. Ubuntu allows keyloggers to be 
installed on a user's account and run to capture a user's keys, so there 
is reason to be concerned even about non-root programs, sure. Because a 
keylogger on a regular account can quickly give access to root as well. 
For real, this is true, I have tested it as well with a real keylogger 
in that sense, it is possible to do so quite easily and to install one 
of these things without as much as a worry as to how to do it.

So sure, we need to protect software and browsers and AppArmor I believe 
does a great job already.

But reducing people's options not because it should be impossible to 
support them but because you feel they _shouldn't_ be supported (and 
used) is a different thing to being concerned about security. It is 
impeding on people's rights and if people want to be vulnerable, they 
should be allowed to, I could say.

I mean to say really that e.g. Microsoft bugs you with updates so much 
and they are all compulsory and it even installs 4GB upgrades without 
asking you, replacing the entire core Windows system without telling you 
(and moving the old stuff to C:\Windows.old, sorry to say so here).

That I think is what you don't want.

The whole premise of Linux (or Ubuntu) is that you are in control of 
your own system and you should keep that high, I feel, and that is all I 
can say about it.





> 
> FWIW ALSA support for firefox 52.0 already is disabled by upstream and
> AFAIK it will be completely dropped soon. At the moment it's still
> possible to build 52.0 with "--enable-alsa". It's not removed for
> security reasons, just because the developers aren't willing to do the
> work and continue supporting ALSA, even without any security issues
> involved. I dislike this step, but I don't consider this as
> dictatorship.

Well that could be convenient if Alsa is not really required in any 
sense, right? I can't have an opinion about it without knowing more, and 
I don't really need to. Of course I guess there can be choices that 
developers make on their own behalf. And that is right.

> You could fork open source software and maintain it on your own, if you
> guess it's not much work.

I just think that is insincere. In the debate about the security guy 
developing extensions for the Linux kernel, it was offered that if he 
didn't like the treatment he got from some of the kernel community as 
regards to his extensions, he could write his own kernel from scratch 
instead.

I am not concerned with developers making choices on their behalf. I am 
okay with that. If you don't want to do the work, you don't want to do 
the work.

But don't make these choices on my behalf please, because you feel I 
shouldn't be using these options. That's all. Care about your time 
please, but don't care about mine, or my risks involved, I can assess 
these myself, thank you very much. And if you, as developers, that are 
busy developing these things, or writing the messages for them (I'm 
pointing to Chrome, for instance) would be more honest in informing 
users, then other users could *also* properly assess the risks on their 
own, likely, given even the most modicum amount of information and 
education.

My problem is not just with developers making decisions for other people 
(and not for themselves), but also for using misleading language in 
frightening people more than they should.

Even my father is afraid of viruses, and he doesn't even use a computer.


> Some developers try to reach world domination, the once who don't care
> about other, everybody actually knows two names ;), but most developers
> don't drop things because they want to dominate, they simply need to
> decide for what work they will spend their time.

I wish that was true, but the fact is that Linux is an ego-infested 
culture as well, sorry to say so here, but... power over other people 
feels great, doesn't it ;-).

I mean that you shouldn't discount normal human tendencies from having a 
role in conduct here or everywhere, and to say that open source 
developers are free from all wordly concerns is not true.

Western society and ... eastern ... society alike, pretty much plays the 
game of world domination everywhere, and pushing your norms onto other 
people is more often done than not.

We are not free from that, it is everywhere, that doesn't make open 
source developers worse than other people, but it does make them 
people... like all the rest ;-).

And we can be allowed to be people, sure, of course. But we are not gods 
just because we do open source, and it is not like human fallabilities 
suddenly escape us because we have a superior sentiment of what software 
should be, that's all.