> On oct. 7, 2014, 1:13 p.m., Thomas Lübking wrote: > > My 2¢ > > Bugzilla will require an update anyway and that means at some point it'll > > be (then "silently") broken in KDE SC4 again and somebody has to step up > > and fix it with another patch. > > In the meantime we've diverging codebases for KDE 4 & 5 - meh. > > > > I agree with Albert that this patch looks a bit scaringly complex (at least > > compared to Frédéric's patch), but believe that the complexity can be > > vastly reduced and like a forward compatible and 4+5 common patch better. > > Albert Astals Cid wrote: > You have a point here, if it's possible that Frédéric's patch gets broken > in the timeframe we still have users around using kde-runtime4 then that > would be a good reason to use this patch. I'd appreciate an assesment on how > much more future-proof this patch is versus Frédéric's one. > > Thomas Lübking wrote: > Afaiu it will "break" when the bugzilla server upgrades to 5.0 (the token > security model will be dropped) but I could not find a schedule for future > bugzilla releases (nor know about bugs.kde.org update policy) > > -> Ben? > > If "users around using kde-runtime4" is the critical condition, this > seems a likely threat, though (given eg. RHEL lifetimes - RHEL7 extended > support ends 2027 ;-) > > Ben Cooksley wrote: > bugs.kde.org is updated when it becomes necessary (security issues) or > when someone gets around to deploying the latest release. > There isn't really a schedule as such. Based on the above comment, i'd > suggest making Dr Konqi as capable as possible - although do remember that we > probably don't want to receive bug reports from extremely old versions of our > software, even if RHEL is supporting it. > > Ian Wadham wrote: > @Albert: I had to cherry-pick Revision 681446e1 from master into KDE/4.14 > today. This was committed to master over 2 weeks ago, but I did not realise > then that it had to go into KDE/4.14 too. > > It fixes a bug in the backtrace formatting on all platforms, makes sure > the Dr Konqi window is on top of the crashed app's window on all platforms > and has a workaround for a crash caused by KCookieJar not being found on > Apple OS X. The third item has to go into the repository first, because the > patch for this present review (which avoids using cookies) affects the same > area of code. Sorry for the noise.
> cherry-pick Revision 681446e1 In which repo? - Albert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/120431/#review68051 ----------------------------------------------------------- On oct. 9, 2014, 12:06 a.m., Ian Wadham wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/120431/ > ----------------------------------------------------------- > > (Updated oct. 9, 2014, 12:06 a.m.) > > > Review request for KDE Software on Mac OS X, KDE Runtime, Ben Cooksley, Darío > Andrés Rodríguez, George Kiagiadakis, Jekyll Wu, and Matthias Fuchs. > > > Bugs: 337742 > http://bugs.kde.org/show_bug.cgi?id=337742 > > > Repository: kde-runtime > > > Description > ------- > > When bugs.kde.org changed over to Bugzilla 4.4.5 in July 2014, the security > method used by Bugzilla changed from cookies to tokens that had to be > supplied as parameters with every secure remote-procedure call. Further > changes to security methods have been announced by Bugzilla and are > documented for unstable 4.5.x versions of Bugzilla software. Tokens will be > deprecated and then discontinued. When this happens, Dr Konqi will need to > supply a user-login name and a password with every secure remote-procedure > call. Furthermore, the traditional "User.login" call presently used by Dr > Konqi will be deprecated and discontinued. > > This patch fixes the tokens problem, which has given rise to several bug > reports https://bugs.kde.org/show_bug.cgi?id=337742 and duplicates. It also > provides for automatic switching to passwords-only security as and when the > Bugzilla version changes again. This uses > a general data-driven approach which can be easily updated, ahead of time, > next time Bugzilla announces a change that affects Dr Konqi, whether it be in > security methods or some other feature. > > NOTES: > 1. This patch is intended to be forward-portable to Frameworks/KF5, but I > work on Apple OS X, where it is not yet possible to run Frameworks/KF5 and do > the porting and testing. So could someone else please do it? > 2. Another Review Request https://git.reviewboard.kde.org/r/120376/ addresses > the tokens issue only, but it should be reviewed and shipped as a matter of > urgency, both in KDE 4 and Frameworks, the next bug-fixing release for KDE > 4.14 being due for tagging on Thursday, 9 October. That will leave more time > for this review (120431) of my more long-term and more general patch. > 3. The passwords-only part of my patch is currently storing the password in > clear. Suggestions re encryption are welcomed --- or the code could be > changed to make use of KWalletD mandatory (but that might not be fully > portable to all platforms). > 4. When the Bugzilla call "User.login" is discontinued, some re-sequencing of > the flow of KAssistantDialog pages will be needed. I have not attempted to do > that at this stage. Probably the entry of the user name and password should > be delayed until the report has been accepted by the Dr Konqi logic and it is > just about to be sent to bugs.kde.org or attached to an existing bug report. > > REFERENCES: > http://www.bugzilla.org/docs/ > http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService.html#LOGGING_IN > Bugzilla 4.5.x (future) API doco re security > http://www.bugzilla.org/docs/4.4/en/html/api/Bugzilla/WebService.html#LOGGING_IN > Bugzilla 4.4.5 (current) API doco re security > http://www.bugzilla.org/docs/tip/en/html/api/Bugzilla/WebService/User.html#login > User.login will be DEPRECATED in 4.5.x > > > Diffs > ----- > > drkonqi/bugzillalib.h 570169b > drkonqi/bugzillalib.cpp f74753c > drkonqi/reportassistantpages_bugzilla.h b7af5b8 > drkonqi/reportassistantpages_bugzilla.cpp 22183f0 > > Diff: https://git.reviewboard.kde.org/r/120431/diff/ > > > Testing > ------- > > Used the bugstest.kde.org database and KDE 4 master on KDE/kde-runtime > repository. > > Tested a range of version numbers (see commented-out test data) against a > range of 5 or 6 hypothetical and real Bugzilla versions at which things could > or will change. This was to test the basic version-checking and > feature-choosing algorithm. > > Tested submitting both full reports and attached reports, using both the > token method and the passwords-only method. > > Also tested with KWalletD supplying the username and password on Dr Konqi's > login dialog. > > > Thanks, > > Ian Wadham > >