Ikke's Blog

Post details: New subdomain UI, me on dbus@lists.fgo, and XScreensaver security considerations

Jan 9
New subdomain UI, me on dbus@lists.fgo, and XScreensaver security considerations

I got a (IMHO) nice UI on code.eikke.com, using AutoIndex. It still needs some hacking: I want to get some mod_rewrite working, so I can use links like http://code.eikke.com/adir/foofile, which will then be interpreted as http://code.eikke.com/index.php?dir=adir&file=foofile. AutoIndex should generate similar code too then. This way, Google (which doesn't like GET arguments) will index my pages too.
Oh, and I want a GNOME iconset. I had to choose between WinXP and KDE...

Started a discussion on kobject-uevents and DBUS on the mailing list today (link). I've been thinking about it last hours, and my proposition is stupid. Kernel events shouldn't be sent out by the DBUS daemon itself. This should be done by some separate daemon.

If only I could get my session bus working :-(

Normally I should be allowed to create a Subversion repository on my domain once more. Jay :-)

After my blog post about xscreensaver and DBUS, jwz, the xscreensaver developer, posted a comment. I mailed him regarding this issue, check "More" for a digest of our discussion.

Had a performance with my orchestra today. We played the first part of the "New World Symphony" by Dvorak, and the Ouverture from "The Barber of Seville" by Rosinni. Some minor mistakes, but it was pretty good. The public was enthousiastic.
Next performance: April 23, Conservatorium Ghent, Belgium.

[More:]

A digest of my discussion on xscreensaver linked to DBUS with jwz:
Ikke:

Hi,

I read your comment on the blog entry I made on my patch against
xscreensaver to dbus-able it.
I read both URL's you pointed to, and here are some comments:

1. Using xscreensaver-command -watch is not really a good idea, because
this would require even one more daemon running :-S

2. On the extra library: I do know security is an important feature.
Sometimes usability should be taken into account too, IMHO. Adding DBUS
support to xscreensaver would fit nicely into the "integrated desktop":
it can be used for instant messengers (like Gaim), fits nicely into
Galago (galago.sf.net),...
DBUS is meant to be a robust framework, with good exception handling,
and whatsoever. And the code in my patch is, well, very low level. And
DBUS support is completely optional (./configure option). I think it's
up to the user: loosen the security a little bit, and gain a nicer
desktop experience, or disable it, and still get the "normal"
xscreensaver, as we know it now.
I dont intend this patch to be into the xscreensaver distribution at all
(yet), it's just some testing stuff, me playing around a little (hey,
what's hacking? ;-)). This patch resides completely outside of
xscreensaver, and should (for now) only be used by me and maybe some
adventurous hackers.
Using my patch, only one more lib is linked to the xscreensaver
executable: libdbus-1.so.0.0.0, which is linked to:
ldd /usr/lib/libdbus-1.so.0.0.0
linux-gate.so.1 => (0xffffe000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7f8c000)
libc.so.6 => /lib/libc.so.6 (0xb7e78000)
/lib/ld-linux.so.2 (0x80000000)
All of them reasonably secure libs, I guess? :-)

I'm not intending to break any security measures in xscreensaver or
whatsoever. Just trying to add some extras.

I'd like to report about this email message and possible replies, and
could discuss this with some DBUS guys. If you object against this,
please let me know.

By the way: thanks for xscreensaver ;-)

jwz:

> 1. Using xscreensaver-command -watch is not really a good idea, because
> this would require even one more daemon running :-S

So what?

> 2. On the extra library: I do know security is an important feature.
> Sometimes usability should be taken into account too, IMHO.

If you think usability trumps security, then you're not qualified to
hack on critical security software.

I have no objection to you finding a way to make xscreensaver interact
with DBUS, but I will never, ever accept a patch to xscreensaver that
involves linking additional libraries into the xscreensaver daemon for
this, and neither will the responsible Gnome or Linux-distro people,
because they also understand and agree with my security policy for
xscreensaver. So, by pursuing this type of implementation, you're
wasting your time, because it will never be used by anyone but you.

You'd be better off finding a *safe* way to accomplish what you want.

> Adding DBUS support to xscreensaver would fit nicely into the
> "integrated desktop":

Again, I am not arguing against your desire to have it talk to DBUS.
I am arguing against your implementation, which is unacceptably
dangerous.

Ikke:

OK, I got the picture.

Maybe stuff like this should get into Galago or some new
desktop-events-daemon anyway.

Could you tell me how xscreensaver-command interacts with the
xscreensaver daemon? A socket?... This way I could get the code poll'ing
this socket. Watching the stdout of an xscreensaver-command process
isn't really nice...

jwz:

> Could you tell me how xscreensaver-command interacts with the
> xscreensaver daemon? A socket?...

X window properties and ClientMessages.

> This way I could get the code poll'ing this socket. Watching the
> stdout of an xscreensaver-command process isn't really nice...

I think it's perfectly nice, because it means you can trivially write
your daemon in a high level language like perl or python or whatever
instead of C. Also it keeps the low level protocol details hidden.

Ikke:

<snip>
> I think it's perfectly nice, because it means you can trivially write
> your daemon in a high level language like perl or python or whatever
> instead of C. Also it keeps the low level protocol details hidden.
Nah, I dislike the tought of Python daemons, and dont know Perl. C is a
nice thing ;-)

I don't know low-level X programming, but I guess I'll be able to strip
the necessary code out of the xs-commander sources :-)

Anyway: thanks!!!

jwz:

> I don't know low-level X programming,

Then you might consider hacking on something less critical to the system
than xscreensaver :-(

Ikke:

> Then you might consider hacking on something less critical to the system
> than xscreensaver :-(
I wasn't really hacking into the low-level xscreensaver code either. As
you can see in my (deprecated? ;)) patch, I just added some simple
functionality, separated from the xscreensaver graphics/security/...
code.

That's it... for now :-)

(I definately need to find a way to blog email conversations in a better way)

Ikke • Life, Technology, Linux, DesktopPermalink 1 comment

Comments:

Comment from: satellite tv [Visitor] · http://satellite-tv.acol-online.com/satellite-tv-online.html
I understand their usefulness. Often, a formalised direcway exercise helps me to crack a block of some kind, direct tv and often affords a new way to see something. It's dishnetwork a way of playing with the process of creation - dish network if one lets it serve that purpose. Another example: directtv a lot of modern composers who use Finale or similar directtv programs to score their music, either on the directv internet fly or by means of the scrivner approach, employ satellite free the cut
PermalinkPermalink 03/06/05 @ 02:02

Leave a comment:

Your email address will not be displayed on this site.
Your URL will be displayed.

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
(Line breaks become <br />)
(Set cookies for name, email and url)
(Allow users to contact you through a message form (your email will NOT be displayed.))


Categories

Archives

Who's Online?

  • Guest Users: 410

Misc

XML Feeds

What is RSS?