Decade Old KDE Bug Fixed

hypnosec writes "How long does a bug take to get resolved? A week? A month? A year? Well, a bug prevalent in the KDE libraries since 2002 has finally been resolved after a decade it has been revealed. The bug was present in the "Reject Cross-Domain Cookies" feature of KDE Libraries. Thiago Macieira noted in the KDE Libraries Revision 974b14b8 that he observed that his web cookies were being forgotten following a kded restart."

Can't decide if it's embarrassing or impressive

[eksith]

Maybe a little of both. Clearly, they had other priorities and this just fell through the cracks.

"turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

Re:Can't decide if it's embarrassing or impressive

[dubbreak]

After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

I've had a similar experience. I was working with a system and found a bug that had been around since the initial system (>3 years), and jumping into the old source control (I had to crack open visual source safe since that's what they were using originally..blech ..moved to hg after I started and bitched that even cvs would be better). Basics of it were: request sent, response received but ignored/not read, retry sent, original message response used. It kicked into a retry sequence even try despite having a response. Eventually this caused issues communicating to a certain device. Put the sniffer on and voila, see double requests despite getting an immediate response. No one ever noticed because it didn't cause issues with any other devices. Yes, extra traffic on the bus, but there was plenty of bandwidth and most of the devices handled it fine. It should have been caught in original testing. When writing your own protocol to talk over serial you'd assume they'd do a little more testing than a sniff test ("oh.. looks like it's working. Good enough for production! Let's ship it!"). I spent most of my time fixing bugs and most were that old but that's the only one I can remember that you would think would have been noticed earlier.

Re:Can't decide if it's embarrassing or impressive

[wmac1]

No one noticed their cookies are removed without any reason? "IF" no one really noticed that, then I would ask myself what kind of people have been using it.

Or perhaps there were more important bugs and problems and people did not push on this one?

Re:Can't decide if it's embarrassing or impressive

Can't decide if it's embarrassing or impressive

There's a Slashdot rule about that: if we're talking about open-source, it's impressive, if not, it's embarrassing.

Re:Can't decide if it's embarrassing or impressive

[phantomfive]

Pretty near all large software has bugs in it. It's not surprising that a large codebase a decade old will have bugs a decade old. This particular bug doesn't seem to be in a code path that is executed very often, and that is where bugs hide. That's why you should make your infrequently executed code as simple as possible.

Re:Can't decide if it's embarrassing or impressive

Software is so complicated and diverse these days, it's hard to tell which is normal behaviour and which is not.

Honestly though, isn't forgetting cookies a GOOD thing?

Re:Can't decide if it's embarrassing or impressive

[SomeKDEUser]

I tend to consider my cross-domain cookies getting lost a feature. I never noticed the bug -- and I have been using KDE since before it was introduced.

There are legitimate uses for cookies, for sure, but the vast majority of them seem to serve no other purpose than tracking me. Which is occasionally fine in the case of wikipedia or slashdot keeping me logged in, but in the vast majority of cases _not_ OK.

Re:Can't decide if it's embarrassing or impressive

[suy]

Can't decide if it's embarrassing or impressive. Maybe a little of both.

Or none of the above. ;-)

Reading the reply from adawit, seems more like in some rare situations that involve restarting the "cookiejar" (the service that stores the cookies), there is possibly undefined behaviour (depending on what the compiler does).

I think is an interesting bug fix, and maybe even a nice blog post from the developer, but I don't think is worth the Slashdot frontpage, even less with that headline.

Re:Can't decide if it's embarrassing or impressive

It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

it was a few months ago microsoft got dragged through the mud here for a decade old bug

Re:Can't decide if it's embarrassing or impressive

[Enderandrew]

Reboots aren't as necessary in Linux.

And I'm assuming that this only affects KDE cookies, so you'd only see this if you used Konqueror as your browser. I imagine most KDE users are using Firefox, Chome or another browser like that.

Re:Can't decide if it's embarrassing or impressive

[lbbros]

The issue only occurred if the KDE daemon (kded) was restarted. With normal usage, this never happens (only if you are testing things, or a crash).

Re:Can't decide if it's embarrassing or impressive

[hairyfeet]

No matter whether you are embarrassed or impressed its just more proof that "many eyes" myth is just that, a total myth.

I'll get hate for saying it but fuck it frankly it has amazed me that myth has hung on as long as it did because it makes some pretty glaring assumptions that even a moment's thought would show just don't work and while I often don't agree with their conclusions on some issues one thing FOSS advocates usually do is follow logic to its conclusion.

The "many eyes" myth makes some pretty easy to punch through assumptions, 1.- That because something CAN happen means it HAS happened. This would be like claiming that somebody has climbed K2 wearing bunny slippers because theoretically somebody could climb K2 wearing bunny slippers. Just because something is POSSIBLE does NOT make it probable or even likely 2.- That all the projects out there, no matter how small or hidden from sight, will get the same attention. I bet every FOSS advocate on the planet has used LO/OO.o multiple times...show of hands, how many of you have actually LOOKED at the freely available source code? How many of you have submitted changes to that code? And that is one of the most popular FOSS programs on the planet, what are the odds that little subsystem hidden away in the middle of most distros has been read and edited by ANYBODY other than the guys maintaining it?

The ONLY real advantages source code brings has nothing to do with bugs, it has to do with that fact that 1.- if you have the skills and free time or 2.- Have the money to hire somebody else's free time and skills you can take a product that is EOL or doesn't run on the platform you want and make it do as you will. LO doesn't run on MIPS? You can port it or pay somebody to port it. For some reason you need Gnome 1 to run on the latest kernel? You can hire a dev team and make it so. But that doesn't magically do a damned thing about bugs, as this along with the KDELook malware or the fact that even kernel.org ended up hacked proves. Having code has its advantages but making bugs disappear? NOT one of them.

Oh and I'm sorry but the "Linus rant" was a Christian Bale douchebag rant that was completely uncalled for. The guy was working on an extremely complex subsystem with some pretty serious issues, he asks a simple question about why a value returned HAS to be X while pointing out that in the subsystem he is working on dozens of drivers do NOT return X so the application in question is gonna fucking crash anyway, and instead of taking the exact same amount of time to say "It has to be thus because" he goes superdouche. I'm sorry but I don't care if you are Bob the mailman or the fucking pope, nobody gets a license to be a douchebag and that rant was total douchebag. It was quite obvious the little prick just expects a "yes master" to anything he says, no questions asked, and when this guy dares to ask what is frankly a damned good question he gets shit on? Nope, sorry, Linus is a douchebag and deserved to be called on it.

Re:Can't decide if it's embarrassing or impressive

[vurian]

Ah, right. So the fact that this bug was caught means that the idea that opening the source for lots of people to check out means bugs get caught is false? In other words, the fact that this bug was caught means the idea that bugs get caught is wrong?

Re:Can't decide if it's embarrassing or impressive

[Samantha+Wright]

'Many eyes' is a statistically valid principle, just over-trusted. You're right that it's not a guarantee that bugs will be found, understood, and fixed more quickly as staff are added, but as long as developers (and testers) aren't slacking off due to herd mentality effects, the rate of finding bugs cannot be any worse than it is with fewer people. It's a submodular function.

...also, if you have an infinite number of programmers reviewing the code at the same time, however, it is certain that all bugs will be diagnosed and fixed. Possibly instantaneously. So that's a theoretically nice result.

Re:Can't decide if it's embarrassing or impressive

[TubeSteak]

"turns out that mCrossDomain was of value 127": For some reason reminds me of the time Linus blew up at Mauro a little while ago also for returning a value that makes no sense (made worse by dancing around the issue).

So what should the value have been?

Re:Can't decide if it's embarrassing or impressive

[buchner.johannes]

false. But I don't understand how it ever became 127, because it is of type boolean.

Re:Can't decide if it's embarrassing or impressive

FYI, Hairyfeet is a known liar and Winshill.

Re:Can't decide if it's embarrassing or impressive

But he's not wrong.

Re:Can't decide if it's embarrassing or impressive

How the fuck can a text file track you or do anything at all?

Re:Can't decide if it's embarrassing or impressive

[hairyfeet]

The FOSSies can waste mod points all the want, doesn't change the fact that its a myth and easily shown to be false. did you forget the bug that was in Debian SIX YEARS before anybody caught it? Or the blatant malware in Q3 Arena that was downloaded countless times and sat in the repos of ALL the major distros for a year and a fricking half before anybody noticed they were all being pwned?

Again you and those that advocate this myth are falling for the assumption because something CAN occur that it HAS occurred. want proof that don't happen? How many fucking Man pages in Linux are placeholders? that is a job that frankly ANYBODY can do, don't need coding experience to write a Man page, yet for most of those that have placeholders it just won't get done.

For the "many eyes" myth to hold true you would have to accept several assumptions that real life simply don't bear out, 1.- That people will download and inspect the code. Again answer my question, have YOU inspected the LO code? Even once? That is one of the most popular programs in FOSS land but I bet out of ALL the geeks on /. the number that have actually downloaded and inspected that code could be counted on one hand. Now if that is the case with one of the most popular apps ON THE PLANET how many do you think have looked at the little pissling ass subsystems and little programs that nobody even think about but which are including in every distro, things like say the clock or the calendar or the theme program? I bet my last dollar if they keep logs you'd find almost NOBODY has downloaded the actual source and there hasn't been jack shit as far as submissions by anybody but the guys that actually maintain the thing.

2.- That people that actually have the skills and experience to do meaningful code reviews are actually gonna spend their free time doing code reviews on this stuff. Do you have ANY idea how many years of coding experience it takes to be able to look at a VERY complex program like LO or Gimp or any of the other dozens of programs included in most distros and to be able to spot errors or problems? Have you ever looked at the winners of the obfuscated C contest? In that contest you KNOW there is malware in the code but frankly unless you have a high enough level of coding skill to instruct classes in C I seriously doubt you would spot it. The guys that actually do have that level of skill are frankly in high demand and free time? Not something they have a lot of so I seriously doubt that they are gonna want to sit around doing code reviews.

3.- That there are enough people out there WITH the skills to spot bugs AND the willingness to do it to keep up with the avalanche of new programs being added to the repos weekly. Hell if we even limit it to JUST the programs that are included in most distros when you figure in all the little sub-programs if it numbers less than 10,000 I'd frankly be amazed. Again go download the code to some of the popular programs like Gimp or LO or even the smaller ones like Abiword or Gnumeric and see just how many fucking pages of code we are talking about here, no way in hell you are gonna get enough highly skilled volunteers to go through that many densely coded programs even once a decade and again I bet for the vital but lesser known programs they probably haven't had a single person not on the dev team that has actually done a meaningful code review of the source code.

So I'm sorry but "many eyes" just doesn't hold up to even the most cursory of logic and you can waste all the modpoints you want but black isn't white, straw isn't gold, and many eyes is bullshit. THAT DOES NOT MEAN that not having the code is somehow "better" or that having the code doesn't give you some pretty powerful advantages, as I said if you want say Abiword to run on MIPS you can port it or pay to have it ported, if you need a program that has been EOLed like gnome 2 you can get like minded people together and keep it going, both of which are pretty powerful advantages. It simply means that "many eyes"

Re:Can't decide if it's embarrassing or impressive

I see you still enjoy the minty flavor of Ballmer's jizz.

Bug was found, bug was fixed. Ignorant rant invalid.

Not sure why you are still hot and bothered over Linus slamming that douche nozzle for being inept and trying to pass the buck.

Re:Can't decide if it's embarrassing or impressive

When writing your own protocol to talk over serial you'd assume they'd do a little more testing than a sniff test ("oh.. looks like it's working. Good enough for production! Let's ship it!"). I spent most of my time fixing bugs and most were that old but that's the only one I can remember that you would think would have been noticed earlier.

You *must* be new here! I worked for a 911 call centre that had serial (SCADA) connections to fire halls (when units are selected, it sends serial commands via leased serial lines to remote terminal units at fire/ambulance stations to activate P.A., station lights, alerts, open main bay doors and send a printed incident report located near fire truck/ambulance drivers door (A rip-and-run report). The vendor that created the software noted several problems with the scada communications protocol that could cause problems. ...If only we were running Linux all the problems they had with windows would go away. I was in favor, but I was the only one.

Re:Can't decide if it's embarrassing or impressive

Hairy, you're so fucking stupid. Many eyes did work in this case. The bug was caught a very long time ago. It's just that no one felt it it was worth the time to fix. Why would that be? Because it's a fucking minor thing that most people won't experience or care about.

Many eyes caught the fucking bug long long ago. Many eyes didn't take 10 years, you dumb twit.

Re:Can't decide if it's embarrassing or impressive

You're right that it's not a guarantee that bugs will be found,

It was found. It just wasn't fixed. Eyes worked fine. Fingers failed. Not that the bug is that kind of OMG the sky is coming down kind of thing.

Re:Can't decide if it's embarrassing or impressive

Yes he is.

Re:Can't decide if it's embarrassing or impressive

I don't know, assigning a specific ID to you, something cookies are known to do?

Re:Can't decide if it's embarrassing or impressive

[F.Ultra]

Actually in reality many people carry out all your points. For example where I work we routinely perform source code scrrening of all the software that we use for mission critical stuff. And I do not believe that we are alone in doing that.

Further the very fact that the FOSS projects have their sources available means that all companies that develop source code validations services (like Coverty) screens lots of FOSS sources for free during their development of their products since that is the only massive amount of code that they have access to.

Add to that that the very bug you are replying to (the KDE bug) was found and also patched, it doesn't matter how long it took from when the bug was introduced and when it was discovered, it was still found and patched due to it beeing open sourced.

Re:Can't decide if it's embarrassing or impressive

[unixisc]

Winshill? Have you even read what he's been saying about Microsoft, Ballmer and Windows 8 lately?

Re:Can't decide if it's embarrassing or impressive

[unixisc]

The source code advantage as far as bugs go is that if someone finds it, and has the skill or the money to hire that skill, one can discover where that bug is and fix it. You are right - it is more of a theoretical possibility than an actual probability, but still, even for this, having the source code for all the software one has is better than not having it. That way, if one finds the bug and has the skills to know where to look and what to do, one can debug the stuff. Not possible w/ closed source, where one would have to send it back to the vendor.

I do agree that the biggest advantage of open source is that the software licensee has the power to decide where he wants to port the software, customize and extend it according to his needs and not have someone like HP force him to buy Itanics when he doesn't need it.

Re:Can't decide if it's embarrassing or impressive

[BrokenHalo]

Does anyone actually use konqueror? I can't imagine why, it's horrible. That said, I have no beef about the rest of KDE, though I really did hate it for many years when it was kluttered and kfucking kfugly, but now it is as elegant, feature-rich and usable as I could wish for...

...Unlike Gnome, of which I really was a big supporter since ~1997 but which since version 3.0 is (for good reason) about as popular as a dose of the clap.

Re:Can't decide if it's embarrassing or impressive

[BrokenHalo]

If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed?

Since I don't use konq, I never noticed this bug, but in any case I would call this a feature, since I actually use a script to routinely delete any cookies files. While I realise cookies might be delicious, I don't care to be tracked by friends of acquaintances, so (as far as is conveniently possible) I don't choose to let them.

Re:Can't decide if it's embarrassing or impressive

No one noticed their cookies are removed without any reason?

Wrong, there was a reason. They restarted it.
I set all my browsers to do this by default, so whether or not this bug ever manifested for me is moot, as there were no cookies to forget. Frankly speaking, there's absolutely no good reason for cookies to persist to begin with.

Re:Can't decide if it's embarrassing or impressive

[hobarrera]

Reboots aren't as necessary in Linux.

Sure, if you want to run the same kernel for the rest of your life, that's true.

Re:Can't decide if it's embarrassing or impressive

[Enderandrew]

http://www.ksplice.com/

You can even swap kernels without a reboot.

Re:Can't decide if it's embarrassing or impressive

[Blaskowicz]

I had to reboot lately, because Firefox was a zombie process and still taking 1.5G of memory. Its parent was init. For the first time, I did a kill -1 -9 to see what happens (kills everything but init) this gives you a black screen and losing all input to do anything with the computer. I should haved killed init to see what happens lol.

Doing something without reboot is also a test on your admin skills (I'm sure a user barely able to edit /etc/fstab will just reboot instead of doing a mount -a, and so on.)

Re:Can't decide if it's embarrassing or impressive

How the fuck can a text file [cookie] track you or do anything at all?

It's only a siggestion, but you might be better off not revealing your gross ignorance.

Re:Can't decide if it's embarrassing or impressive

[fnj]

I did a kill -1 -9 to see what happens (kills everything but init)

Um, pretty sure that should be kill -9 -1

Re:Can't decide if it's embarrassing or impressive

[dubbreak]

Reboots aren't as necessary in Linux.

My thoughts exactly. I pretty much never rebooted my Linux desktop. Laptop.. yes because hibernate didn't work right.

Some people also set their browser to delete cookies every time they close the browser (I usually set one to do this so I have something clean for testing).

Re:Can't decide if it's embarrassing or impressive

It is not the text file that causes harm. It is the web server being able to read some cookies that they did not send.

You are the ignorant one. If third party cookies are not allowed, then anything that a web site sends is by default not tracking you because they created it and they can track what you do on their site anyway.

A text file is 100% harmless, always. It does absolutely nothing. It is what other apps can do if they can read it is the problem.

Re:Can't decide if it's embarrassing or impressive

Yes, more eyes is a myth in general but has merit if the right eyes are looking in specific cases. Of course, more of the right eyes on the code is always a good thing and your littlemyth goes poof.

Lots and lots of bugs have been found by people trying out debuggers and fuzzers on open source software.

If you are going to debunk myths, you should also acknowledge that "Windows is attacked more often because it is 'popular'" is a myth. Otherwise you are just a Ballmer cock smoker and have nothing of substance to offer.

Security and usage numbers are orthoganol.

Windows is the most attacked(and successfully) because it is the easiest to attack. It nearly every space where MS does not have the majority market share(ie everything except desktops) it is the MS software that is successfully attacked more often than the market leader.

  A 12 year old with no understanding of computers can own most windows machines.

Re:Can't decide if it's embarrassing or impressive

I can't find fault in his reasoning. He's right. How many opensource users actually even check the code on the applications they use? Probably a small percentage. Yes there are companies that do code review, but there are also companies that don't do any code review and end up using buggy software in their products. The amount of people that actually audits opensource code is pretty small and some pretty well known, like OpenBSD, but even they got fooled by the whole silly IPSEC backdoor stuff that shocked even themselves. All in all, nothing is perfect.

Who Cares?

[terbeaux]

There are bugs much older than this in the wild. Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

Re:Who Cares?

yeah because users should have to get a phd in cs and fix the bugs themselves! open source fukken r00lz dude!!!1

open source means never having to take responsibility for releasing a shitty product...

Re:Who Cares?

[DRJlaw]

Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

Embarrassing != Troll.

There are bugs much older than this in the wild.

And those projects, whether run as open source or owned by Microsoft or owned by some other closed source shop, should be embarrassed as well. If the bugs are that longstanding, public shaming is probably the only motivation left to drive them to be fixed.

Re:Who Cares?

[Tailhook]

open source means never having to take responsibility for releasing a shitty product

I guess I have to agree with you. At least this place seems to be inhabited with people that believe open source is an excuse to neglect work. I pointed out a 12 year old bug fixed in the latest Mozilla release and get modded Offtopic. Mozilla developers aren't working for kudos... but damn you if you offer the slightest criticism.

Re:Who Cares?

[amiga3D]

Really? I mean I guess I'm glad it's fixed but of all the problems this has to be among the most minor. Amnesia over web cookies is right up there with "there is a speck of dust on my shoe lace." Hell it could even be considered a feature.

Re:Who Cares?

With Open Source, if a bug is a real problem, then you can fix it.

IF and only IF you know how.

 

If you're unwilling to take the time to fix it, then it must not be really important to you.

OR I don't have the time to learn C, study the code and fix it. Hey at least I (hypothetically) reported it. I didn't report anything, just saying hypothetically speaking.

 

It's not like you PAID FOR the software.

Yeah but I'm paying with my time to try and help by reporting a bug. Your attitude is highly arrogant and patronising. This is one of the problems with FOSS...it's not a license to be an asshole. If you don't want to give your work away for free, then don't do it. If you do, be prepared and open to constructive feedback and pointless criticism, it's part of belonging to the human race and 2 wrongs don't make a right.

Re:Who Cares?

[rudy_wayne]

With Open Source, if a bug is a real problem, then you can fix it.

Wrong. This is the big lie of Open Source.

• I can submit a bug, but I can't force them to fix it. I have submitted many bugs to various open source projects over the years and none of them have ever been fixed.
  I can write a patch but I can't force them to accept it. Which makes sense -- you can't have random people messing with your code.
  I can only write a patch if I am proficient in whatever language they are using AND I am intimately familiar with the code base so that I know where to look.

Unless you are an expert programmer, with commit access to the codebase, open source is meaningless.

Re:Who Cares?

[Teun]

And yet you can fix your system.
Commits are another story.

Re:Who Cares?

That's incorrect, because once you make the patch, you can use it. It doesn't have to be accepted back to the main system for you to continue using it for as long as you might like.

Fact of the matter is, if a bug is a real problem, you -can- fix it. If you don't have the ability to fix it, then you can either find (maybe for pay) someone to fix it, or you can learn the ability to fix it.

Not that I'd defend many of the other claims people make against open source -- I've been doing this for nearly my entire life, and there's a LOT of people with zero social skills, zero UI design skills, zero aesthetic skills, zero software testing skills, and many times all of that combined into one, in the "open source community".

Re:Who Cares?

[Runaway1956]

Arrogant and patronising?

Many of us would agree that it is YOU who is arrogant. You seem to assume that the software should function just as you demand that it should, and that when it does not, someone else is at fault. We can make an argument that you are part of the Great American Instant Gratification generation.

So, you can't program. Or, maybe you can program, but don't have the time or the skill to fix the problem that really bothers you. You have heard of the bounty system?

Here's a blurb on one bounty system: http://www.insanitybit.com/2012/08/14/chrome-beefs-up-its-rewards-program-bigger-bounty/

Re:Who Cares?

I am a big open source fan but your attitude needs to die in a fire. It is more damaging and toxic then the ignorance hairfeet spews on behalf of his master.

I have my own work and my own projects.

I don't have the time to find, report or fix bugs in the linux kernel, KDE, Ruby, Python, Java, Netbeans, PostgreSQL, sqlite, ruby on rails and about 50 gems for ruby and/or rails, Apache commons, JRuby, firefox, Amarok, etc, etc, etc.

Of the above truncated list only amarok is not actually relevant to my work. At some point I should be working on my projects, that hopefully add something valuable, instead of spending all my time fixing everyone elses projects. If one of them breaks and I found the bug I report it, revert to the preciously working app/lib and wait for the maintainers to fix it. If they don't fix it, I won't use any future versions.

It was the authors decision to write that code and release it under a open source license. I have no responsibility to report or fix anything. That was not part of the licensing deal. I also have every right to complain about something that sucks about it.

I never put code out as OSS or even closed source, unless I am willing to take responsibility for it. I hold other programmers to the same standard whether or not I paid for it.

There have been bugs in KDE and KDE apps that were very important to me, I didn't fix them because I don't have the time to fix other people's screw ups. It is their responsibility. I just reverted to an earlier KDE version that worked. I didn't move to Gnome because Gnome sucks ass, every version, and Enlightenment is an underpowered eyesore. I owe KDE exactly jack and shit and will bitch every time something pisses me off, which is not very often.

For a non-trivial project it takes a non-trivial amount of time to learn enough to be able to work on it. No one has the time to contribute to every project that they use, and your tired, shitty little rant implies that you think we do. Fuck you.

Open source is a powerful thing, but what you are doing is committing the #1 fallacy of open source.

Re:Who Cares?

[NotBorg]

Unless you are an expert programmer, with commit access to the codebase, open source is meaningless.

Thanks. I keep trying to tell everyone that open source software is written by experts. It's nice to finally get some affirmation.

Re:Who Cares?

[F.Ultra]

Regardsless of your knowledge, you still have the possibility to fix it (the can bit). The difference is that with closed software you cannot even if you would know how.

Re:Who Cares?

[hobarrera]

It's not just open source: the truth is, windows doesn't have a bug tracker, so you can't see really old bugs.
Windows 7 won't allow users to open/delete/move/do-anything-else on files with some particular characters in their filename. This bug has existed since DOS, so it's actually around two decades old.

Re:Atleast it is better than an unfixed Windows bu

[binarylarry]

I've been asking them to get rid of the Start Menu for years and they finally did it with a recent release.

I hope they remove networking capability next and maybe add more DRM.

@SteveBallmer @Microsoft

common

I guess it is pretty common... I mean, even recent software has years old lame bugs these days, even big projects like Chrome has issues like:
https://code.google.com/p/chromium/issues/detail?id=255

(and that is a bug you can hit every single day of normal web browsing...)

Re:common

[jones_supa]

Mozilla also fixed an over decade old bug in Firefox 18 (prevent sending insecure requests from a secure context).

Re:Atleast it is better than an unfixed Windows bu

The quality of Slashdot comments has really gone downhill.

Answering the obvious

How long does a bug take to get resolved? A week? A month? A year?

You said "decade old" in the title, dumbass!

KDE

[jones_supa]

Heh, gratz for fixing that one. KDE is the best UNIX DE. Reasonably fast, relatively robust, smooth to use, and very configurable. Lots of nice apps and widgets to play with, too.

Re:KDE

Actully OS X is the best UNIX DE but I suppose KDE is decent...

Re:KDE

[toddestan]

KDE is better because it has much better hardware support.

Re:KDE

[Blaskowicz]

Do I need a SSD to run it? I run my OS on an old IDE drive (data, not /home on a 160GB one) and have a stack of those if I want to try something different.
If I want to try it, and PC-BSD 9.1 or Linux Mint 14 KDE should be awesome OSes, I'd like to have the databases enabled (interfaced with whatever IM/mail/contacts/"PDA" stuff) as it's like the main feature of KDE along with kio slaves. But if I invest time into using it (after learning how to disable the animations crap and the tabbed start menu), and it turns into a slow piece of crap then I will have wasted my time. I dumped Windows 7 because it did too much I/O and that was on a 1TB drive.

Re:KDE

[jones_supa]

I have tested this. KDE is very responsive with a mechanical hard drive too. It seems to preload a lot of stuff into RAM.

Restarting KDE

Restarting KDE every ten years sounds about right.

now they can start working with bugs from 2003

...

Many eyes make all bugs...

...LOL I couldn't finish that lame old quote with a straight face.

Decade old GNOME bug not fixed

https://bugzilla.gnome.org/show_bug.cgi?id=121113

Re:Decade old GNOME bug not fixed

For something that's more completely considered a bug, check the long and sorry history of bug 108951. Only about 6 years old, but one of the more irritating ones. Sad to see such an issue bounced from distro to project to DE and back again, then finally closed because the feature it affects is removed.

Functionality wasn't affected

[lbbros]

If you read another developer's response to this commit you will see that the actual feature (reject cross domain cookies) was not affected by this blunder: instead the issue was completely different and only occurred when the KDE daemon was restarted.

Re:Who Cares? - People that use KDE maybe ?

There are bugs much older than this in the wild. Publishing this arcane factoid will just make the KDE devs feel inadequate when our bro Thiago Macieira could have earned a PhD in CS and submitted a patch herself. Can you mod an entire story -1 TROLL?

Who cares?

What a arrogant comment. I care and thousands of other KDE users care.

That's nothing ...

Microsoft has an entire bug-based OS 27 years old and counting.

No one wants to fix unglamorous bugs

[hessian]

People work on problems that are (a) fun to solve and (b) will bring them acclaim.

Tiny, ugly, boring bugs don't do that and so in many software projects they get overlooked the longest.

Developer at fault still at large

The identity of the developer responsible for the bug still remains unknown. A 10,000 bit coin reward has been posted for information leading the discorvery of his name and/or whereabouts. And in other news, Linus Torvalds has just announced.......

Re:Atleast it is better than an unfixed Windows bu

No, it's about the same. There is just more of them. Moderation doesn't scale well.

Re:Atleast it is better than an unfixed Windows bu

[Runaway1956]

I hadn't noticed, actually. Of course, the world-famous Anonymous Coward has been here much longer than I have. With a UID of zero, I guess you would know!

Re:Who Cares? - People that use KDE maybe ?

[Runaway1956]

Did you file a bug report? No? Then you didn't care very damned much.

Déjà vu...

[Kelerei]

...Slashdot reported on a 25 year old BSD bug being resolved back in May 2008.

And these are just the ones we know about -- there may be yet older bugs (particularly in proprietary, closed-source systems, where the source cannot be reviewed by the general community).

Re:Déjà vu...

>And these are just the ones we know about -- there may be yet older bugs (particularly in proprietary, closed-source systems, where the source cannot be reviewed by the general community).

Defensive much? LOL

Re:Déjà vu...

They should have fixed it the first time it was solved.

Pssst. Mozilla...

Don't start asking about the number of decade-plus bugs that exist in Thunderbird. More than I could count on my entire family, or probably even entire workplace teams fingers and toes.

Are any of you programmers?

I have never seen a code base that does not have bugs as old (or older) than the date the bug tracker was put in place.

This is totally normal.

Users weren't affected until recently

[Bananenrepublik]

Sorry to spoil the fun, but the developer who found the bug fixed it "after a few months" according to the check-in comment. The code may have been buggy for a decade, but that doesn't mean that anybody was affected during that time. Once someone was affected (the developer), it was fixed in a much shorter timescale than this article makes you believe.

What abot the many eyeballs?

[williamyf]

After RTFA (I know, broke the rules), it appears it wasn't a documented or tracked bug. It was noticed and fixed more than a decade after it was created. Pretty much non-news. If no one ever noticed or cared that their cookies were getting lost on a kde restart then how can you expect it to get fixed? If no one calls it a bug, is it actually a bug?

"With enough eyeballs all bugs are shallow" Right?
Well, the theory of the many eyes say that someone somewhere should have noticed/reported/tracked this bug sooner rather than later.
this comes to prove that many eyes are NOT enough. First you need more than merely many eyes, you need many QUALIFIED eyes.
Second, you need to complement your (many) eyes with systematic test cases to so some QA, trying ad a modicum of rigor, instead of, you know, letting the QA become an ad-hoc subjective process...

Re:What abot the many eyeballs?

So why are you complaining instead of being one of the pairs of eyeballs? Where were you? The source code is open you know! I don't use KDE!

Re:What abot the many eyeballs?

I cannot really fathom what you are complaining about, was not this bug found and also patched? Why does his eyes not count for you?

Imagine that this had been a closed source product, then he had perhaps triggered the bug, but he had had no possibility to debug it and also no means of providing the patch what so ever.

Re:What abot the many eyeballs?

[Sigg3.net]

Well, relevance will probably have something to do with how many eyes etc.

Security and stability bugs have many eyes looking.

Re:What abot the many eyeballs?

"With enough eyes, all bugs are shallow," is no better than, "with enough time, all passwords are weak." It's a statement about brute force, which always the least efficient way to do anything.

I agree with your post but will add one thing: all projects need better documentation. Some of the best open projects on the net now have no or terrible documentation. Some of them glibly claim, "our code is self-documenting" (which tells me they don't understand what documentation actually means), while others have their documentation scattered across a hundred disjoint wiki pages, with no unifying design document to explain over-arching design decisions.

The first step to getting qualified eyes is to give people a single document, say, 100 to 300 pages, where they can get a birds-eye view of the architecture, drill down into individual modules, and understand all the decisions that shape the program to be what it is.

The second step is then to make use of those qualified eyes by giving them shallow, simple, complete modules to inspect. Code that does one thing, does is directly, and then returns standardized output and errors. Only when code is simple and architecture easy to understood do you get the most out of the "brute force inspection" of a million eyes.

Still hope for 16 year old IE bug

[raymorris]

Perhaps that means there is still hope that the IE Accept bug, documented sixteen years ago, will eventually get fixed. Microsoft did release a partial workaround after fourteen years.

Re:Still hope for 16 year old IE bug

Perhaps that means there is still hope that the IE Accept bug, documented sixteen years ago, will eventually get fixed. Microsoft did release a partial workaround after fourteen years.

Are you referring to the fact that many companies still Accept IE as a viable browser? Because that's certainly buggy behavior, and it's been around a long while.

Re: Atleast it is better than an unfixed Windows b

Good job you're all reading the source and making your contributions. Except you're not.

Linux may as well be propitiatory for most of its users

KDE is known for bugs ...

KDE is known for bugs unfixed for years - another one https://bugs.kde.org/show_bug.cgi?id=224447 . 58 users hitting this one (which is a log for a bug reporting system) for 3 years already.

Re:KDE is known for bugs ...

[blackpaw]

Because its very hard to reproduce, non of the reporters could come up with a reliable way of doing other than "On my system". I myself used to see that bug until kde 4.8. Have never seen it since.

Firefox does this all the time

[rudy_wayne]

Just this month, they have fixed bugs that were originally reported in 2000 and 2001.

Re:Firefox does this all the time

Took them almost 10 years to fix the javascript bug that would cause your computer to lockup and crash with an over scaled image. Surprised it wasn't exploited more often.

browser cookies being forgotten

[scourfish]

This is not a bug to me

Open source?

[antdude]

How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

Re:Open source?

[Tough+Love]

How come no took over these very old issues to fix? Did no one care for them? :( I would fix them if I could code.

If it was proprietary software it would have been EOLed by now. Open source... just keeps getting better. You can't unopen it.

Re:Open source?

[antdude]

I know, but it is frustrating that no one would fix these bad bugs. :(

Re:Open source?

[Tough+Love]

it is frustrating that no one would fix these bad bugs.

I guess the bug was not very bad, which you can confirm by RTFA. More to the point: if a bug goes ten years in open source, that's a news item. In proprietary software it's par for the course.

That long to fix?

[fahrbot-bot]

I didn't know the Oracle Java development team also worked on KDE.

Re:That long to fix?

[laffer1]

That's not fair. KDE eventually fixed the bug.

Re:Atleast it is better than an unfixed Windows bu

[Tough+Love]

The quality of Slashdot comments has really gone downhill.

Really? I liked that one. Droll wit indeed. Deserves upmodding.

Certainly not the worst example

[Mehmet+Kse]

Take a look at this one: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/128587

One byte, two years.

By the way, how can one say FreeBSD a state-of-the-art system, they used *this* installer for twenty years.
- Hey, we've got a new mirror, let's recompile!

Re:Who Cares? - People that use KDE maybe ?

I always laugh at this excuse. I would say 90% of nix users do not file bug reports because of how lousy the bug report system is to non-developers in a lot opensource applications. Then if those people do post a bug report and due to their inexperience, they get shunned out of existence. I've seen it happen all the time. I once told a guy to send a bug report, he never did, and I asked him why and he said it was just too much crap to do. I've even seen patches get shunned. Just take a look at Asterisk and the bluetooth module. Thing has been broken for years and there's a patch on the bug report that's been sitting there for years and works great, but never implemented to mainline, thus it has been broken every damn release because no one wants to implement it (Yes, the patch works, I have to recompile every release).
 
There's a lot of unreported bugs for a lot of applications due to this and the excuse of "I'm not going to fix it because it wasn't reported on our lousy bug report system, but posted on a forum", is no excuse at all. We're led to believe opensource is safer, when in reality it's turning into a bureaucratic mess of ego maniacs (Gnome) and proper submission form (KDE), that's opening holes in a lot of the applications we enjoy.

I personally like Mozilla's new way of bug reports, where you can send it directly from the browser with the submit feedback and they made it as simplest as possible. They have the right idea, most of the opensource community does not.

5 more years

[pmontra]

This makes me hope that 2017 will be the ETA for the fix of this one :-)

Obligatory disclaimer: no, I can't learn a new (for me) language and a new toolchain to fix it. I'll live with the bug as I did for three years.

Re:5 more years

Since we're complaining about old bugs, I have the stupid udisk floppy bug. I need floppies to transfer stuff to this antique laptop I'm fooling around with, and guess what? Most every linux distro has had this ridiculous bug in udisk for YEARS: Freedesktop entry ; also at Ubuntu's Launchpad

  Basically, udisk stupidly force-umounts floppies the instant they're mounted, so you can't "mount /media/floppy" and use it. Ever. It's fixed in the new codebase, udisk2, but the bug in udisk1 (which many distros, including mine will be using for the near future as udisk2 works in a whole different way) is unfixed. (Apparently it appeared because somebody couldn't figure out how to avoid a delay when booting, as udisk searched for a nonexistant floppy drive on systems without one. So he solved it in a way that BROKE. ALL. FLOPPY. DISKS.)

  Not only that, but one developer actually acknowledged that it's broken, then told people affected by the bug that "floppies are rare, so I don't care," and marked the fucking bug as "WORKSFORME" (!!) because it doesn't affect the entirely seperate udisk2 codebase.
    Which is some of the stupidest shit I've ever seen. WONTFIX, while it is the douchiest tag, would be more appropriate since he flat-out admits it doesn't work. I think the udisk devs are hoping to beat ffmpeg out for "biggest dickhead developers." (They have a lot of ground to make up, though. Heh.)
  Fortunately, I use the command line and can issue a "udisk --mount /dev/fd0" instead as a workaround, but all integrated desktop floppy handling is borked for the time being by a years-old bug. I love linux, and this kind of shit really holds it back, IMO.

Re:5 more years

You needed floppies?

That laptop had no serial port? No Ethernet? No USB?

I guess when you are ignorant, floppies are the only answer.

Re:5 more years

The laptop's too old for USB; either the ethernet card or dongle is dead meaning I have to buy a new one, one that will work with a distro the laptop can handle (will do eventually); serial port is only available through a special docking connector thingy that I'd have to buy off ebay if one ever comes up. ATM, I'm stuck with floppies. It's a PITA, but I can manage. I'm considering an SD-card floppy adapter, which, while slow, will eliminae disk swapping entirely; also I can just plug the SD card right in on my main PC and transfer full speed. I'm not sure if that's a high priority when I still need to buy other stuff for it. This is a fun project for free time, indulging a bit of nostalgia by dicking around with old hardware.

Anyway, it's not just me -- there's a lot of industrial hardware out there that takes data via floppies, and some office equipment, and other niche uses where you have to have a floppy. It's not a large segment, but it exists.

  And yes, there are workarounds, too. But that's all beside the point -- the bug doesn't bother me much, it's the response to the bug.
  The point is there's been this bug for years, with numerous people complaining, and the devs' attitude is like "So what? Fuck you guys." I'd expect that from suits at Microsoft, but when you're talking directly to a developer in charge of Linux's removable disk support, and telling him that his project is bugged such that floppy disks are broken across multiple distros, and it's been that way for ages, and his answer is basically "GFY"? That's bullshit. At that point, he's an asshole. Where's his pride in his project? It's certainly not up his ass, that's where he keeps his head.

Not newsworthy

[Frankie70]

Anyone who has worked on large projects knows that a lot of bugs keep getting punted year after year because they aren't serious, affect very few users etc.

Re:Who Cares? - People that use KDE maybe ?

Did you file a bug report? No? Then you didn't care very damned much.

I didn't even know the bug existed until i saw this article.
And yes I damned very much do still care.

Runaway1956 I take it you are a linux developer or a linux app developer ? Your lame response speaks for itself.

Re:Who Cares? - People that use KDE maybe ?

Thank you for the backup. For the most part I think you hit the nail right on the head.

I've submitted bugs for dozens of different distros and even been involved in development of some.
I'm not a developer. I've submitted bugs and patches (all complete & without error). But because i'm not a developer or in their "click" *GASP!* my bugs are suddenly unworthy of the ego maniacs that run the upstream and mainline branches.

Re: Atleast it is better than an unfixed Windows b

propitiatory? How do you pronounce that, Ballmer-boy?

blah blah

While researching a problem that I was having with GTK back about 4 years ago, I discovered that I was ramming headfirst into a 20 year old focus related problem, that will likely never be fixed, and therefore will always render Gnome a useless pile of crap (in addition to the horrific user interface that they've grafted onto it over the last 8 years or so).

There was a nearly 40 year old bug fixed in one of the base Unix tools, about a year or two ago.

Microsoft 'aux' folder

In Microsoft's XP operating system, you can't name a folder (or subdirectory, in standard terminology) 'aux'.

Not to mention that every Windows system since 3.0 has the bug where the name on a CD is assigned to be the CD drive name and remains assigned even after the CD disk is exchanged with another.

These bugs probably won't get fixed until the original Voyager space probe circles the galaxy and returns to earth.

Re:Microsoft 'aux' folder

In Microsoft's XP operating system, you can't name a folder (or subdirectory, in standard terminology) 'aux'.

That is odd, but apparently true.

It's like those strange old laws on the books where a man can't wear jeans in a public park, or something. There was obviously a reason for it at one time. Then by the time that reason was no longer applicable, everyone had forgotten the law existed, so it was never changed.

Re:Microsoft 'aux' folder

"aux", "con", or "prn" actually.

Yeah, but how long

[TheABomb]

has the "ksirtet is no longer in kdegames bug" been ongoing?

That's because

Everything Linux SUCKS

Re: Atleast it is better than an unfixed Windows b

[chromas]

I'm sure he meant Propeciatory—as in, "Linux makes you grow a beard".

I can beat that...

[seebs]

I reported a bug, which was accepted, in NeXTStep 0.8 or so. Last I checked, it's still in OS X. (LoginWindow won't let you enter control characters as part of a password.)

Re:Who Cares? - People that use KDE maybe ?

Please give examples of 3 bugs you've submitted.

Let's make this official

[der_alte]

from now on, January 18 "Thiago Macieira Appreciation Day".

Whaaaa?

[Safety+Cap]

How the fuck can a text file track you or do anything at all?

Easy: give it some duct tape and a magnifying glass, then stand back.

Re:Atleast it is better than an unfixed Windows bu

[RockDoctor]

I hope they remove networking capability next

That's a necessity to prevent hacking of the Internet from our OS, for which we remain criminally liable.

and maybe add more DRM.

We just need to ensure that the decryption keys are only ever issued on a robust one-time-use policy over the network, after the user has paid their pay-per-view fees for that viewing of the content. As our corporate customers have been demanding for years. We've got to get rid of the current thing of storing the keys on the media itself, because those hackers will always find a way to break such a scheme.

Regards, Bill

(But Steve, you've been in post for a decade or so now, and I'm retired. So why am I having to wipe your arse on basic topics like this. And what are you doing with that chai $£&$^$£&* NO CARRIER

You fixed it for yourself... +1

[mrflash818]

You fixed it for yourself... +1