Kevin Krammer posted on Sun, 15 Jan 2012 18:08:31 +0100 as excerpted:
On Sunday, 2012-01-15, Dan Armbrust wrote:
Hmm. Most software with autocompletion support does that. E.g.
browsers,
email programs.
They also ask your permission first.
Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked
me whether I wanted to store form data.
Can you attach a screenshot of an application asking that?
I don't know about asking, but it's a preferences setting. There's also
the private browsing or whatever the app decides to call it, mode,
where everything (cookies, form completion, browsing history, etc) is
forgotten, tho that normally has to be specifically toggled on.
While I consider this is a good thing and would appreciate the option in
okular as well, it's not something that fits well with the previously
chosen example of a public kiosk, library computer, or other shared
computer (my folks worked at a mission in El Salvador for awhile;
everybody shared the same computer and could read email, etc, unless it
was web-based, but of course then if the browser is set to save cookies
and remember form-fills...), since because in most cases it doesn't
prompt every time, a user accustomed to using a private computer and not
worrying about it isn't likely to realize the danger and verify settings
on a public computer, either.
I wonder how many facebook/myspace/twitter/etc users have had their
accounts hacked simply thru use of a friend's computer or one at the
library, and being careless about the remember me settings, etc, that
most sites have (that usually control the site's cookie settings) on
their logins? Not to mention banks... Sure, a responsible kiosk
operator will have setup responsible settings, but then again, it could
be argued that a responsible kiosk operator would wipe or entirely reimage
between users, as well. There's a lot of users caught-out that way, I'm
sure.
So yes, I agree an option would be nice, and having a clear-data function
would be EXCELLENT, but I don't believe the kiosk example was
particularly apropos, given the commonly accepted behavior of most
browsers, etc, extended to the same kiosk example.
And they have an off switch.
And, they definitely don't autocomplete fields which are know to
contain private info - aka - passwords. Unless you go through another
dialog telling it to remember the password. And they give you a menu
option to clear it. And, most browsers now have a don't remember
anything mode.
Okular has none of those.
Right, hence the recommendation for lobby for an implementation doing
that.
Actually, I wonder if this idea could get a bit more traction in view of
the new ksecrets thing? That'd play off the whole fascination with the
new and shiny technology thing, instead of being seen as the drudge-work
that hooking up to kwallet or just implementing an ordinary don't-save
option and clear-saved button.
That's where I'd try to take it at this point, since ksecrets IS new and
shiny and fascinating! =:^)
However I don't see any facts supporting the claim of virus like
behavior.
Hiding users data without permission and without the users knowledge
certainly is virus like behavior.
No, virus behavior is attaching itself with the purpose of distribution
and spreading.
I don't think Okular is doing either.
It seems he's using virus not in the technically narrow virus sense,
but in the broader malware sense, inclusive of trojans, etc. While
okular really can't be considered a virus in the technically narrow sense
(as you pointed out), certainly, the argument here is that it's behaving
like a trojan, so if one accepts an extremely fuzzy definition of virus
that really means something more like malware in general. While I would
have certainly chosen malware or trojan instead of virus, here,
with a suitably fuzzy definition, I do see his point.
That said, while I see his position and certainly agree that a don't save
data option and clear saved data button would be useful, I certainly
don't consider it a problem on the order of, say, konqueror not having
proper security certificate management for two years after kde was
declared ready for ordinary users with 4.2... (finally fixed in 4.6, IIRC)
in an era with both internet banking and the compromise of entire
certificate authorities! That was a FAR more serious breach of the
public trust, IMO, while this one's an it would be nice thing, a rather
vast difference in priority. As I've stated before, the it's only a
toy, use a real browser if it matters attitude toward konqueror is one
of the big reasons I switched to firefox.
I would recommend lobbying for secure storage of form completion data
like other form completing programs do.
I doubt it would help.
I wouldn't be so sure.
Same here, particularly with the new ksecrets angle to explore. If I
were an okular dev I think I might jump on this one just
