On the right to rant.
-
@Bulb My opinion is that JWZ has every right to rant.
In a free society, everybody has every right to rant about whatever they want. However, the other people have every right to ignore their ranting and follow their own Policy instead.
The Policy is incredibly important to Debian. In this case, it effectively says three things:
- The interests and desires of the Users take priority. When the Users and the Upstream Author want something else, the Upstream Author can shove it.
- Packages are not removed from released suites (except possibly for legal reasons, but those should be carefully checked before they get to the point of being released).
- Packages in released suites are not upgraded. They only get fixes of security issues and possibly critical bugs (but those are hopefully found before they are released too).
JWZ may not like the way Debian works, and may rant about it, but that is how Debian works and they work that way because that is exactly what system administrators want and why so many system administrators prefer Debian (basically companies that have purchased support from Red Hat use RHEL and those that don't most commonly use Debian). They are absolutely predictable in how they work.
Not saying JWZ is completely devoid of fault either. For one thing this is an extremely unprofessional way of addressing a user that was otherwise mostly polite (word "obnoxious" in their post notwithstanding):
JWZ basically has no business even reading that post, not to mention replying. It is Debian bugtracker, not upstream one. Debian tends to keep those two things distinct.
If JWZ does not want to be bothered by bug reports for old versions, his bug reporting page is the right place to put the big bold warning.
-
@Bulb said in On the right to rant.:
The interests and desires of the Users take priority
@Bulb said in On the right to rant.:
Packages in released suites are not upgraded
What if what users want is an upgraded package?
-
More to the point, IMO, is the fact that JWZ chose to release his software under some open-source license that allows other to duplicate/edit it as they wish. He cannot do that and then later on say that someone took his software and, well, edited it as they wanted.
There are billions of software licenses around, if he wants one where he keeps some control of the software while making the code public, I'm sure it would take him less time to find it than it took him to write all his rants. There is nothing wrong with wanting to keep some control on your creation, but there is something deeply wrong with using a license that doesn't correspond to your aims and then whine about people following that license.
(from his own site: "I believe in giving people the freedom to make their own decisions [... but some people] just don't care about [...] the wishes of a creator." You can make your own decision, as long as it follows what he wants.)
Also, yes, voluntarily reading the Debian bug tracker and complaining as if it was his own bug tracker is quite squarely in the "dick move" territory.
-
@Jaloopa said in On the right to rant.:
What if what users want is an upgraded package?
Then they can (provided the maintainer had time to build it) install it from Testing, Unstable or Updates. The third being collection of packages for which updates are often requested, built against libraries from stable so they can be installed without pulling newer libraries along.
-
@Jaloopa said in On the right to rant.:
What if what users want is an upgraded package?
Then they don't want to be using Debian Stable. What is difficult about this concept?
-
If you read his website or blog, it's pretty clear he has BlakeyRat tendancies.
On the other hand, I can partially understand his frustration. Getting blamed for bugs that have been fixed years ago because of someone's else policy can get annoying.
The comment in the source is actually rather polite and calm (unlike the discussions):
/* If you are in here because you're planning on disabling this warning
before redistributing my software, please don't.I sincerely request that you do one of the following: 1: leave this code intact and this warning in place, -OR- 2: Remove xscreensaver from your distribution. I would seriously prefer that you not distribute my software at all than that you distribute one version and then never update it for years. I am *constantly* getting email from users reporting bugs that have been fixed for literally years who have no idea that the software they are running is years out of date. Yes, it would be great if we lived in the ideal world where people checked that they were running the latest release before they report a bug, but we don't. To most people, "running the latest release" is synonymous with "running the latest release that my distro packages for me." When they even bother to tell me what version they're running, I say, "That version is three years old!", and they say "But this is the latest version my distro ships". Then I say, "your distro sucks", and they say "but I don't know how to compile from source, herp derp I eat paste", and *everybody* goes away unhappy. It wastes an enormous amount of my time, and kind of makes me regret ever having released this software in the first place. So seriously. I ask that if you're planning on disabling this obsolescence warning, that you instead just remove xscreensaver from your distro entirely. Everybody will be happier that way. Check out gnome-screensaver instead, I understand it's really nice. Of course, my license allows you to ignore me and do whatever the fuck you want, but as the author, I hope you will have the common courtesy of complying with my request. Thank you! jwz, 2014*/
-
@Zerosquare While I can understand the stance in his comment (not so much the rest), note, on a slightly different topic, that it also exhibits the behaviour that I hate of "you must always update whenever I say so".
There is no such thing as "obsolescence" in software. There are bugs, yes, of course, and those should be fixed, but this comment is training users in blindly running to each and every new version, to react like good Pavlov's dogs to the small icon "there are updates available", and in the end to get fucked again and again by developers who decided to change existing features or remove them entirely because they've decided that the broken JS framework of the day is better than something that actually worked.
-
@Bulb said in On the right to rant.:
The Policy is incredibly important to Debian. In this case, it effectively says three things:
(...)
- Packages in released suites are not upgraded. They only get fixes of security issues and possibly critical bugs (but those are hopefully found before they are released too).
Interesting, since JWZ wrote in his blog post:
Though in case you were wondering whether there have been serious bugs fixed since 2014 -- security-related bugs -- the answer is yes.
-
@remi said in On the right to rant.:
There is no such thing as "obsolescence" in software.
Cryptography, anyone?
-
@remi said in On the right to rant.:
There is no such thing as "obsolescence" in software. There are bugs, yes, of course, and those should be fixed, but this comment is training users in blindly running to each and every new version, to react like good Pavlov's dogs to the small icon "there are updates available", and in the end to get fucked again and again by developers who decided to change existing features or remove them entirely because they've decided that the broken JS framework of the day is better than something that actually worked.
This guy isn't talking about blindly updating. He's talking about versions that are years out of date. And, yes, updating can be very important, as WannaCry and other exploits have repeatedly demonstrated. To say there's no such thing as "obsolescence" in software is absurd, if only because if you wanted to update one piece of software to get a feature or bug fix you really want, it will usually require you to update its dependencies along with it, not to mention compatibility on the hardware level. If a software update screwed up your computer or introduced new bugs or undesired behavior, that's not a problem with updates in the general sense, it's a problem with that particular piece of shit software.
-
@remi I teach at a school where everything is done through iPads. If kids don't update, I have to deal with multiple workflows, confused kids, and lots of wasted time.
Updates are important. And if they aren't done, it wastes lots of time for everyone
-
JWZ said in On the right to rant.:
and they say "but I don't know how to compile from source, herp derp I eat paste"
-
@Benjamin-Hall said in On the right to rant.:
@remi I teach at a school where everything is done through iPads. If kids don't update, I have to deal with multiple workflows, confused kids, and lots of wasted time.
Updates are important. And if they aren't done, it wastes lots of time for everyone
So then you wouldn't choose the stable distribution. Which is fine. It's like you people are complaining that a subcompact can't tow your boat or something.
There are places where minimal updates are desired because updates definitely do break lots of workflows and automated processes and etc. no matter how many temper tantrums a prima donna developer throws.
-
@Benjamin-Hall said in On the right to rant.:
@remi I teach at a school where everything is done through iPads. If kids don't update, I have to deal with multiple workflows, confused kids, and lots of wasted time.
And when you update regularly, you still have to deal with all of that - just one version at a time. Whereas if no one updated anything ever, you and all your students would only ever have to learn the workflow once.
Mind you, I'm not arguing against updating. I'm just saying "saved time" is very poor argument for updating. Especially considering all the time spent fixing problems caused by the updates.
-
@boomzilla true. But I was responding to the idea that required updates are some kind of outrage. On a production system, updates may need to be gated. But that's an exception. An edge case. For most consumers and professionals, minor updates are necessary and important. Some people might need to cabin off certain software, but that's an exception, not a rule IMO.
-
@Gąska specifically for the iPad, updates come in a few types.
Big updates with new versions of iOS are critical. APIs change, certain features are version gated, etc. But these happen once per year, usually at the start of things. So NBD if everyone's prompt about it. But sometimes we get big ones that make things incompatible that we're using.
Small updates throughout the year are either security or are small enough to cover easy.
-
@Benjamin-Hall required updates are fine if you're going to take responsibility for all the damage caused by those updates. Required updates are fine in corporate/school environment when devices are provided by and maintained by the institution that requires the updates. But forcing updates and not helping the affected users with the issues it causes is just evil.
Of course, not forcing updates doesn't mean supporting old versions. I'd be perfectly okay with Microsoft ditching all support for Windows XP back in 2007 - as long as existing installations were left untouched.
-
@Gąska the kids (really their parents) buy and are responsible for the devices. We tell them when to update (and when not to). I've had kids trying to do Web Design work (that relies on things mobile safari added recently) wondering why it wasn't working--they were 2+ major versions out of date.
For most people, the changes due to updates are less disruptive than the major bugs fixed in those updates. And teaching people to not update leads to Windows XP and backwards compatibility messes.
There's a balance to be struck. Break everything (ala Apple) sucks, but so does getting support calls for things fixed years ago. Which I've gotten on the app I maintain. And Linux makes updating off cycle hard. Which is bad.
-
@Benjamin-Hall said in On the right to rant.:
For most people, the changes due to updates are less disruptive than the major bugs fixed in those updates.
And for some, updates are literally impossible to install because of one-in-a-million issue with their specific combination of hardware, software version, configuration, and manufacturing microdefects. I used to be in the "always update ASAP" camp too, until I've become one in a million myself.
You should be able to refuse support of outdated software, but the student should be able to keep old version regardless, if they're okay with lack of support. Of course there are cases where there's some new feature introduced that's absolutely required in your course - but if they want to keep old version, that's their problem, not yours, and you should not solve it for them if they don't want to.
-
@Benjamin-Hall said in On the right to rant.:
But I was responding to the idea that required updates are some kind of outrage.
Yes, in a general sense, they are, which was the point. Like all of the people who continue to use old versions of Word to do write their documents.
-
@Gąska yeah, you're not a teacher. 99% of the "can't update" problems are kids trying to get out of work or out of accountability. And for the iPads, weird hardware isn't an issue.
Heck, I run a frakenputer at home and have never had issues with updates due to hardware.
-
@Benjamin-Hall said in On the right to rant.:
99% of the "can't update" problems are kids trying to get out of work or out of accountability.
I didn't say they shouldn't get failing grades for not completing assignments if the reason is that they have outdated software. But really, how often does it happen in practice?
@Benjamin-Hall said in On the right to rant.:
Heck, I run a frakenputer at home and have never had issues with updates due to hardware.
Just like 999,998 other people in your million.
-
@Benjamin-Hall said in On the right to rant.:
Linux makes updating off cycle hard. Which is bad
Which one?
If you run Debian Stable (or Red Hat Enterprise), it's because you want a stable distro. Basically, a LTS distro.
If you want the latest and greatest, you don't run Debian Stable, you run Ubuntu (non LTS) or something else.
If you want all the latest version, you can run Debian Testing or even Unstable if you're brave enough.
-
@TimeBandit and commercial apps will update even on those LTS distros (e.g., Google Chrome).
-
@Benjamin-Hall said in On the right to rant.:
For most consumers and professionals, minor updates are necessary and important.
No, no, no and no. This is a stupid brainworm that needs to die.
Security updates or updates that fix bugs are recommended and somewhat (depending on the bugs that are fixed) important.
Random updates where the dev has decided that this feature should no longer exist and that the format should no longer be compatible and that has not been tested, are totally useless.
Now ask yourself where most updates fall between these two extremes. You're a regular, so of course you know that most are closest to the second category.
Software is (almost) the only thing in the world where we have been brainwashed to accept that everything in a tool that we use (and sometimes, that we've paid money for!) can at any time change entirely at the whim of someone else, and that this is a good thing. This is above moronic.
(it's a rant thread, isn't it? I can rant all I want...)
-
@Benjamin-Hall said in On the right to rant.:
An edge case. For most consumers and professionals, minor updates are necessary and important. Some people might need to cabin off certain software, but that's an exception, not a rule IMO.
As a consumer (and a professional, but that's not the viewpoint I'm taking here), I disagree. If those minor updates were restricted to security fixes, then yes, I'd agree to always update as soon as possible.
But they're not. Nowadays you constantly get new "minor" updates, like every other week. It's just annoying and unnecessary. If I click on "update all" for this:
it'll be back to a number like that in maybe 2 weeks. And 95% of those updates are useless. Security aside, I don't need new (mis-)features every week. Updates once or twice a year would be fine. Fuck the threadmill.
Even major updates I'm wary off, as I've been bitten by them on all platforms I've used (Win/Linux/OS X/iOS).
Of course, your use case of "everyone should be on the same version" is reasonable. But it might just as well be an argument for more stable, less frequent updates.
-
@topspin said in On the right to rant.:
If those minor updates were restricted to security fixes, then yes, I'd agree to always update as soon as possible.
Even this is questionable to a certain point.
If it's a security issue with my browser, then yes, I should apply it ASAP.
If it's for a service which is not exposed to the internet, and my PC is sitting comfortably behind a firewall and can't be accessed from anywhere except my LAN, then where is the rush to update RIGHT NOW?
-
@remi said in On the right to rant.:
More to the point, IMO, is the fact that JWZ chose to release his software under some open-source license that allows other to duplicate/edit it as they wish.
That's rich considering how many open source-y conversations I've had where people have called Apple, Oracle, Microsoft or whoever "evil" because they "took the open source code and didn't give back".
@remi said in On the right to rant.:
He cannot do that and then later on say that someone took his software and, well, edited it as they wanted.
Nobody's arguing that. But if you ignore the author's wishes, you're a dick. Nobody's saying it's copyright infringement or that it's a violation of some license, they're saying Debian maintainers are being dicks.
@remi said in On the right to rant.:
Also, yes, voluntarily reading the Debian bug tracker and complaining as if it was his own bug tracker is quite squarely in the "dick move" territory.
Them ignoring his polite request to remove the software is also squarely in "dick move" territory.
@gordonjcp said in On the right to rant.:
Then they don't want to be using Debian Stable. What is difficult about this concept?
Except this software is used to lock the screen, so it's security-critical. And despite Debian's policies that they update for security issues, they haven't updated it since 2014. And JWZ himself pointed that out in the blog post.
-
@blakeyrat said in On the right to rant.:
Except this software is used to lock the screen, so it's security-critical.
You can lock the screen without XScreensaver.
And despite Debian's policies that they update for security issues, they haven't updated it since 2014. And JWZ himself pointed that out in the blog post.
In the blog post, he's saying that Debian distribute v.5.30. On current Debian Stable they're distributing v.5.36.1
But JWZ doesn't have a public repository of the code (that I could find), so I don't know when that version was released.
But, of course, feel free to repeat the same lame argument for the next decade
-
@TimeBandit
Given that at least one other computer on your LAN has Internet access and at least one attack vector suitable for compromising it (most commonly the [l]user via bad ads or phishing), then your service that isn't exposed to the Internet is still vulnerable to remote exploitation.While the bigger headlines show up for data breaches caused by database servers or backup files that are directly Internet accessible, the larger volume of data breaches occur because that completely protected development server with no Internet access was accessed horizontally from a compromised workstation.
-
@remi said in On the right to rant.:
Software is (almost) the only thing in the world where we have been brainwashed to accept that everything in a tool that we use (and sometimes, that we've paid money for!) can at any time change entirely at the whim of someone else, and that this is a good thing.
That's the paradox, and curse, of making some processes easier: the average quality drops.
Back when ROMs were in wide use, you had to do serious QA before releasing a software version. Because fixing a mistake was costly and painful, especially if it happened after the product had shipped. Nowadays it's "nobody has the time to makes things perfect, release as-is, we'll fix it later." (for values of "later" that are dangerously close to "never").
A similar phenomenon has happened with the evolution of development tools and languages. With modern tools, really bad developers can fake competence enough to get employed instead of those who actually knows what they're doing. The end result is (unsurprisingly) shitty, but it's not bad enough for managers to care or even notice.
In both cases, the improvements also encourage endless toying at the expense of delivering a quality product from the start.
I'm not saying we should go back to the old days (I'm glad my job no longer involves burning EPROMs!), but trying to makes things easier sometimes backfires.
EDIT: by the way, since someone will probably counter with "old stuff had plenty of bugs too!": yes, they weren't perfect. But they were nowhere as broken as the first releases of today. Some games are virtually unplayable (because of major bugs) until the first patch.
-
@izzion said in On the right to rant.:
Given that at least one other computer on your LAN has Internet access and at least one attack vector suitable for compromising it (most commonly the [l]user via bad ads or phishing), then your service that isn't exposed to the Internet is still vulnerable to remote exploitation.
IOW, you have to use another exploit on another computer (that wasn't patched), then use that exploit to hack into mine. The chances of that happening are really high
I can hack the locks on your front door easily, why don't you live in a safe?
Edit: I'm not saying to never update, I'm saying why the EMERGENCY of doing it right now?
-
@blakeyrat said in On the right to rant.:
@remi said in On the right to rant.:
More to the point, IMO, is the fact that JWZ chose to release his software under some open-source license that allows other to duplicate/edit it as they wish.
That's rich considering how many open source-y conversations I've had where people have called Apple, Oracle, Microsoft or whoever "evil" because they "took the open source code and didn't give back".
Because you found one more person who did that?
-
@TimeBandit
Because the mindset of “oh this isn’t THAT critical, I’ll do it later” is what leads bachelor pads to have a sink full of dirty dishes, underwear all over the floor, and three bags of trash bursting full and waiting to go to the dumpster.Or, more topically, is why thousands of companies are still working on upgrading their Server 2003 / SQL 2005 servers to a newer version (probably 2008 R1, natch). After all, it works, and nobody’s posted their data all over the internet yet
-
@izzion said in On the right to rant.:
why thousands of companies are still working on upgrading their Server 2003 / SQL 2005 servers to a newer version (probably 2008 R1, natch). After all, it works, and nobody’s posted their data all over the internet yet
And there is nothing between those two extremes?
I don't necessarily apply updates the moment they come out, but I don't wait 10 years either.
-
@Benjamin-Hall Well, as the old adage does indicate, there are those that can.
-
@TimeBandit
You may not. But Microsoft (and lots and lots of other software companies) has lots and lots of data to prove how letting people choose the "eh, I'll update when it's convenient" option means they never update. And given how interconnected devices are these days, the fact that someone chooses to "update when it's convenient" puts lots of other people's Internet connectivity at risk, since those un-updated devices are very likely to become zombies in a botnet.And, in my experience, technical people who protest about how they would update on a reasonable schedule if only ${evilSoftwareCompany} would stop forcing updates down their throats are like teenagers insisting they would remain chaste without the watchful eye of the nun.
-
@Zerosquare said in On the right to rant.:
2: Remove xscreensaver from your distribution.
You know, Debian could just rename XScreensaver to revasneercSX or something, like they did with Firefox and Iceweasel, and both of them would get what they want.
-
@izzion said in On the right to rant.:
@TimeBandit
You may not. But Microsoft (and lots and lots of other software companies) has lots and lots of data to prove how letting people choose the "eh, I'll update when it's convenient" option means they never update. And given how interconnected devices are these days, the fact that someone chooses to "update when it's convenient" puts lots of other people's Internet connectivity at risk, since those un-updated devices are very likely to become zombies in a botnet.That's not a valid justification for forcing updates and REBOOTING whenever they want, and breaking working systems while doing it.
like teenagers insisting they would remain chaste without the watchful eye of the nun.
What can the nun do anyway?
-
@anonymous234 said in On the right to rant.:
You know, Debian could just rename XScreensaver to revasneercSX or something, like they did with Firefox and Iceweasel, and both of them would get what they want.
Someone suggested this solution on the bug tracker topic, and it seems like a good compromise to me, too. But the idea probably got lost in the noise.
-
But still. Debian takes security very seriously. They backport security patches. In their view, you don't need newer versions of software, upstream software that is. What is in Debian Stable is the newest version that has been selected to run on the OS, which is presumably tested and runs predictably. What users might find are functionality bugs, but not usually security bugs that are known to exist. Upstream shouldn't care. Debian software is maintained by Debian, distributed by Debian and supported (as much as a community distro can provide support) by Debian. It might as well be another software entirely. Which is why they could very well change the name, and they probably will or have, or at least should?
-
By the way, most distros I have used discriminate between security patches and updates, and you can choose to install only the former.
-
@Bulb This JWZ guy also does something weird if you access his blog with a hackernews referrer. I think this guy is just really childish.
-
@topspin said in On the right to rant.:
Nowadays you constantly get new "minor" updates, like every other week. It's just annoying and unnecessary. If I click on "update all" for this:
it'll be back to a number like that in maybe 2 weeks. And 95% of those updates are useless.I'm not sure I even have that many apps installed.
-
@sockpuppet7 said in On the right to rant.:
@Bulb This JWZ guy also does something weird if you access his blog with a hackernews referrer. I think this guy is just really childish.
Frankly it is quite to the point.
-
@izzion said in On the right to rant.:
@TimeBandit
You may not. But Microsoft (and lots and lots of other software companies) has lots and lots of data to prove how letting people choose the "eh, I'll update when it's convenient" option means they never update. And given how interconnected devices are these days, the fact that someone chooses to "update when it's convenient" puts lots of other people's Internet connectivity at risk, since those un-updated devices are very likely to become zombies in a botnet.This argument would make sense before we entered IoT era, where we're surrounded with hundreds of "smart" devices that have worse security than unpatched Windows 98.
-
@Gąska said in On the right to rant.:
This argument would make sense
Not even.
It's like arguing "Some people badly behave with guns, so we ban all guns for everyone"
-
@TimeBandit the difference being, 1 in 10,000 gun owners in USA kills someone with gun, while the number of people who never updated their XP installs was much larger.
-
@Gąska Are we comparing receiving spam with murder now?
-
@TimeBandit receiving spam is the least that can happen to a hacked computer. Sending spam is more common, and orders of magnitude worse. Not to mention more serious botnet activities, and stuff keyloggers can get their hands on.
