[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: KDE3 on F9 and F10 HOWTO, now online



[For the TL;DR crowd: DO NOT FOLLOW THE INSTRUCTIONS FROM THE OP!!! THEY
WILL REINTRODUCE CRITICAL SECURITY VULNERABILITIES INTO YOUR SYSTEM AND MAY
ALSO CAUSE A LOT OF DEPENDENCY ISSUES!!!]

Roberto Ragusa wrote:
> this is a (late) follow up to my mails about
> having KDE 3 from F8 on Fedora 9 and 10.

... which is a horribly stupid way to get KDE 3 onto these:
* These packages are no longer updated. Any bugs, including security issues
will just stay unfixed.
* The old compat libs you're installing also have unfixed security issues.
You should rebuild the KDE 3 packages against the current libraries
instead. (But that still doesn't change that you are responsible for
providing updates to the packages.)
* This: "After a successful upgrade, you have to be careful when installing
updates, as the entire KDE4 will try to replace the KDE3. I personally use
yum list updates and then select packages manually with yum update this_one
that_one that_one_too." is also a horribly stupid solution. At the very
least, you need to provide an exclude= line to stick into the .repo files.
But rebuilding the packages with higher Epoch is probably the only really
safe way (but it'll also break your upgrade path forever because we aren't
going to bump the Epoch of Fedora's KDE to support upgrades from your
obsolete crap, also because we'd risk getting into an Epoch war with
dinosaurs who want to stay on KDE 3 forever).
* More and more packages are being upgraded to KDE 4 versions. So KDE 3
alone is not enough to provide, you'd have to fork pretty much all
KDE-using packages to provide a working solution, or ship a lot of libs
from KDE 4 as kde*4 packages (but that still won't help with apps requiring
things like Plasma or KDE 4's KWin, those won't work within KDE 3). You're
listing some of them, but there are a lot more you're not accounting for,
probably because you happen not to use them (but others are!).

If you really want to use an obsolete KDE, at least do it properly! But of
course this is going to be a lot more work than just writing some bad
advice on your web page. IMHO it is not worth it.

So please just delete that broken page and your insecure compat packages
(your openssl in particular has critical security issues) and stop breaking
other people's systems! (If you want to break your own system, that's your
own problem, but at least stop bragging about it!)

A distribution is not just a pool of software you can randomly pick pieces
of, it needs to work together. Fedora 9 and 10 come with KDE 4, so that's
what you must use, period.

> As there were some people interested in what I've done,
> I finally found the time to put all the stuff
> online (specs, patches, SRPMS, RPMS).

And I find it really sad that you're ignoring the opinion of the Fedora KDE
maintainers who told you your solution is completely broken and asked you
not to give out such horribly bad advice to unsuspecting users.

> Everything is on this page (including a disclaimer):

No amount of disclaimers is going to help the fact that you're giving out
bad advice and that idiots are going to follow it and then whine that it
breaks, nor are they going to help the people who get their system
compromised due to the unfixed security holes in your compatibility
libraries.

In fact you should upgrade to KDE 4.2 yourself instead of wasting your time
with this useless and broken crap.

        Kevin Kofler


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]