Kevin Krammer posted on Sun, 15 Jan 2012 18:08:31 +0100 as excerpted:
> On Sunday, 2012-01-15, Dan Armbrust wrote:
>> > Hmm. Most software with autocompletion support does that. E.g.
>> > browsers,
>> > email programs.
>>
>> They also ask your permission first.
>
> Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked
> me whether I wanted to store form data.
> Can you attach a screenshot of an application asking that?
I don't know about asking, but it's a preferences setting. There's also
the "private browsing" or whatever the app decides to call it, mode,
where everything (cookies, form completion, browsing history, etc) is
forgotten, tho that normally has to be specifically toggled on.
While I consider this is a good thing and would appreciate the option in
okular as well, it's not something that fits well with the previously
chosen example of a public kiosk, library computer, or other shared
computer (my folks worked at a mission in El Salvador for awhile;
everybody shared the same computer and could read email, etc, unless it
was web-based, but of course then if the browser is set to save cookies
and remember form-fills...), since because in most cases it doesn't
prompt every time, a user accustomed to using a private computer and not
worrying about it isn't likely to realize the danger and verify settings
on a public computer, either.
I wonder how many facebook/myspace/twitter/etc users have had their
accounts hacked simply thru use of a friend's computer or one at the
library, and being careless about the "remember me" settings, etc, that
most sites have (that usually control the site's cookie settings) on
their logins? Not to mention banks... Sure, a responsible kiosk
operator will have setup responsible settings, but then again, it could
be argued that a responsible kiosk operator would wipe or entirely reimage
between users, as well. There's a lot of users caught-out that way, I'm
sure.
So yes, I agree an option would be nice, and having a clear-data function
would be EXCELLENT, but I don't believe the kiosk example was
particularly apropos, given the commonly accepted behavior of most
browsers, etc, extended to the same kiosk example.
>> And they have an off switch.
>> And, they definitely don't autocomplete fields which are know to
>> contain private info - aka - passwords. Unless you go through another
>> dialog telling it to remember the password. And they give you a menu
>> option to clear it. And, most browsers now have a "don't remember
>> anything" mode.
>> Okular has none of those.
>
> Right, hence the recommendation for lobby for an implementation doing
> that.
Actually, I wonder if this idea could get a bit more traction in view of
the new ksecrets thing? That'd play off the whole fascination with the
new and shiny technology thing, instead of being seen as the drudge-work
that hooking up to kwallet or just implementing an ordinary don't-save
option and clear-saved button.
That's where I'd try to take it at this point, since ksecrets IS new and
shiny and fascinating! =:^)
>> > However I don't see any facts supporting the claim of "virus like
>> > behavior".
>>
>> Hiding users data without permission and without the users knowledge
>> certainly is virus like behavior.
>
> No, virus behavior is attaching itself with the purpose of distribution
> and spreading.
> I don't think Okular is doing either.
It seems he's using "virus" not in the technically narrow "virus" sense,
but in the broader "malware" sense, inclusive of trojans, etc. While
okular really can't be considered a virus in the technically narrow sense
(as you pointed out), certainly, the argument here is that it's behaving
like a trojan, so if one accepts an extremely fuzzy definition of virus
that really means something more like malware in general. While I would
have certainly chosen "malware" or "trojan" instead of "virus", here,
with a suitably fuzzy definition, I do see his point.
That said, while I see his position and certainly agree that a don't save
data option and clear saved data button would be useful, I certainly
don't consider it a problem on the order of, say, konqueror not having
proper security certificate management for two years after kde was
declared ready for ordinary users with 4.2... (finally fixed in 4.6, IIRC)
in an era with both internet banking and the compromise of entire
certificate authorities! That was a FAR more serious breach of the
public trust, IMO, while this one's an "it would be nice" thing, a rather
vast difference in priority. As I've stated before, the "it's only a
toy, use a real browser if it matters" attitude toward konqueror is one
of the big reasons I switched to firefox.
>> > I would recommend lobbying for secure storage of form completion data
>> > like other form completing programs do.
>>
>> I doubt it would help.
>
> I wouldn't be so sure.
Same here, particularly with the new ksecrets angle to explore. If I
were an okular dev I think I might jump on this one just for the
opportunity to play with that! =:^)
Of course, since ksecrets is itself rather immature at this point, taking
that approach could mean no real fix until 4.9 or 4.10, but given the
time it has been already, and the priority I've already stated I rank
this as, that's certainly better than not seeing the feature at all!
BTW, Kevin, any wild guess or informed opinion on how long kde4 will
continue with the semi-annual feature updates, given kde5 in the wings?
My WAG is that 4.9's reasonably safe on a six-month cycle, but that the
focus on kde4 might be rather less after that, and that while it's
reasonably likely there will be a 4.10, I suspect that we might not see a
4.11, that 4.10 might slip from six months to say 9 months from 4.9, and
that the monthly bugfix updates will similarly slip to 2-3 months around
the same time period, with devs focusing then on kde5.
As such, as soon as I start using double-digit minors, I begin to wonder
if say 4.11 and beyond is looking ridiculous and it'll be 5.x by then
instead.
Of course as others have said, I expect kde5 to be a rather minor deal
compared to kde4, and that it'll be handled rather better. But I just
wonder every time I put something a year or more off, thus 4.10 timeframe
or beyond, and wonder how your of course very tentative at this point
speculation compares to mine. Note that I'm **NOT** asking for a 5.0
release date prediction, since the above assumes a stretching out of the
4.x releases schedule as the devs naturally focus more on kde5, and I
/do/ hope and expect that (unlike kde3) kde4 bugfix releases at least,
will continue for awhile after kde5 release, altho at a much slowed down
rate, maybe 2-3 such 4.10.x releases after 5.0... at say six month
intervals compared to the current monthly, thus yielding a couple years
of overlapped support to help avoid an early 4.x repeat.
Does that sound reasonable, or are there bad assumptions there, such that
we're likely to see a 4.11 and 4.12 at the current schedule, or OTOH,
won't get to 4.10?
Any guess on wayland support? Maybe not for 4.x but for 5.x? If so, do
you think it'll make 5.0?
> Hmm. I haven't used Okular's implementation yet but generally I find
> form completion support to be rather useful. I used it all the times
> when filling in web forms or completing email addresses.
++ =:^)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
___________________________________________________
This message is from the kde mailing list.
Account management: https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.
