[Pkg-sugar-devel] Bug#813258: sugar-record-activity: Should sugar-record-activity be removed?

Mon Feb 1 02:07:59 UTC 2016

On Mon, Feb 01, 2016 at 08:39:31AM +0800, Tony Anderson wrote:
> This is indeed throwing the baby out with the bath water. Record is
> a critical activity, one of the few protected from removal. A Debian
> Sugar without Record eliminates sound recording and using the camera
> for images and video.

Yes, it is unfortunate, but Debian is dependent on the upstream
project Sugar Labs to remedy this.  I don't think it is likely that
any Debian developer will choose to fix the problem within the context
of Debian packaging.

Don't forget, Fedora has given Sugar Labs the same problem.  Fedora 24
won't have GStreamer 0.10 either.

> How is using Gstreamer 1.0 create a dependency to port to GTK+3?

We expect GTK+ 2 to be removed eventually, and it would cost more time
to maintain the Record activity sources if there was one branch for
GStreamer 1.0 and another branch for GTK+ 3.

Both libraries are now used through GObject instrospection bindings,
so the work required to port to both is similar in nature.

Also, I'm not aware of any activity that combines both GStreamer 1.0
and GTK+ 2.  Are you?

> In ASLO, Jukebox-28 upgraded to gstreamer-1.0 and also migrated to
> sugar3

activities.sugarlabs.org is not showing you the latest Jukebox-32, a
known problem with ASLO that nobody has worked on for four years.
Please don't cite activities.sugarlabs.org, it just lies.

Yes, indeed, Jukebox was correctly migrated to GStreamer 1.0 and GTK+
3, and the sugar-jukebox-activity package in Debian does depend on the
libraries through the GObject instrospection bindings, which you can
see in the dependencies list;

https://packages.debian.org/sid/sugar-jukebox-activity

> (interestingly, the release notes mention the move to gstreamer-1.0
> but make no mention of GTK3 at all.

You can find the port to GTK+ 3 mentioned in the release notes for
Jukebox-27 from August 2012.

http://activities.sugarlabs.org/en-US/sugar/addons/versions/4045
http://wiki.sugarlabs.org/go/Features/GTK3/Porting/Jukebox

> sudo cp libgstmad.so /usr/lib/gstreamer-0.10/
> sudo chmod 755 /usr/lib/gstreamer-0.10/libgstmad.so
> sudo cp libmad.so.0 /usr/lib
> sudo chmod 755 /usr/lib/libmad.so.0
> sudo cp libgstfaad.so /usr/lib/gstreamer-0.10
> sudo chmod 755 /usr/lib/gstreamer-0.10/libgstfaad.so
> sudo cp libfaad.so.2.0.0 /usr/lib
> sudo chmod 755 /usr/lib/libfaad.so.2.0.0
> sudo yum install gstreamer-ffmpeg-0.10.13-8.fc18.i686.rpm
> sudo ldconfig
> sudo rm -rf /home/olpc/.gstreamer-0.10/registry.i386.bin
> 
> This script installs the necessary codes directly. I am sure the
> ffmpeg install adds unnecessary code but I don't know how to break
> this out. However, this script does not work with gstreamer 1.0 and
> I have spent hours researching the documentation to find out what
> happened to the libgst* libraries and the registry.i386.bin. The
> only documentation I found requires installing the complete bad and
> ugly libraries (granted, this was a couple of years ago so that
> documentation may now exist - but gstreamer 0.1 works with no
> problems so no need to spend more time on it).

No idea what you are talking about above; it has no bearing on Debian.

> Incidentally, GTK+3 is irrelevant since jukebox is intended to be
> run by association with a media file. We need it only because we are
> forced at gunpoint to make the change to stay modern (keep up with
> the Jones').

And Jukebox stays in Debian because of this forcing.  A good outcome.

On Mon, Feb 01, 2016 at 08:51:41AM +0800, Tony Anderson wrote:
> Zero day vulnerabilities as I understand it are vulnerabilities not
> known except to the exploiters. That has been true
> since day one. The antivirus folks can only protect us against a
> virus that has been released (although some have taken
> a positive approach of trying to recognize patterns of exploit).
> 
> So this hypothetical list of zero-day vulnerabilities can not be
> reduced, by definition, until the exploit is made.

My mistake, I should have said "unpatched zero-day vulnerabilities."

When there is no vendor of updates, the vulnerabilities remain
unpatched, and remain present.

There are also the unpatched vulnerabilities that were not exploited
before a patch was available.  Many of these have been exploited.  The
list of CVEs against old libraries grows.  WebKit1 for example.

> Luckily, XO deployments often have no connection to the internet and
> so are automatically protected against most
> exploits.

They are not protected against attacks over a local area network or by
USB drives.

> My concern is that Debian Sugar would become less capable on
> standard laptops without Record.

Yes.

> The implication is that to keep Record in Debian Sugar, someone must
> drop whatever they are doing and undertake to port Record to GTK+3,
> even though Record is fully functional

Yes.

> and not known to be open to any exploit.

No, I'm fairly sure there are exploits.

> This is the Microsoft formula to force users to buy new licenses.

None of us are Microsoft, and the license is open source.

> Naturally, on any XO, Sugar is based on 32-bit Fedora. This is
> unlikely to change in the foreseeable future.

I'm sure George Hunt over at XSCE would love to hear your vote of
no-confidence for his work on Debian on the XO.

> Actually, I suspect the majority of XOs are still running 0.82.

Which means their list of unpatched CVEs is even larger.

-- 
James Cameron
http://quozl.netrek.org/