Backporting of Discover/KNS fixes

Ben Cooksley bcooksley at kde.org
Sun Feb 20 00:40:37 GMT 2022 

On Sun, Feb 20, 2022 at 1:08 AM Heiko Becker <heiko.becker at kde.org> wrote:

>
> On Saturday, 19 February 2022 10:11:06 CET, Ben Cooksley wrote:
> > It has recently come to my attention that some distributions have missed
> > emails sent to this list recently regarding issues with Discover/KNS. As
> > these issues are rather critical I am now requiring all distributions to
> > explicitly acknowledge receipt of these emails and to declare the actions
> > they have taken. As a reminder, end-user systems without these patches
> are
> > participating in a distributed denial of service attack on KDE.org
> > infrastructure.
> >
> > The two emails which distributions need to keep in mind are:
> > - https://mail.kde.org/pipermail/distributions/2022-February/001140.html
> > - https://mail.kde.org/pipermail/distributions/2022-February/001142.html
>
> Exherbo already has 5.24.1/5.91.0 and while I don't have numbers, I
> suspect
> our Discover installations are not that frequent anyway, due to missing
> package kit support for our package manager and our technical target
> audience.
>

I took a sample yesterday for a period just short of 2 minutes and received
the following results:

     1 "KNewStuff/5.88.0-discover/5.23.5"
     1 "KNewStuff/5.89.0-discover/5.23.4"
     1 "KNewStuff/5.89.0-discoverupdate/5.23.5"
     1 "KNewStuff/5.90.0-systemsettings/5.23.5"
     2 "KNewStuff/5.90.0-discoverupdate/5.24.0"
     2 "KNewStuff/5.90.0-kpackage-knshandler/5.90.0"
     6 "KNewStuff/5.90.0-discover/5.23.5"
    10 "KNewStuff/5.86.0-discover/5.22.5"
    13 "KNewStuff/5.86.0-discoverupdate/5.23.2"
    29 "KNewStuff/5.88.0-plasma-discover-update/"
   245 "KNewStuff/5.88.0-discoverupdate/5.23.5"
   296 "KNewStuff/5.90.0-discoverupdate/5.23.5"
  9082 "KNewStuff/5.86.0-plasma-discover-update/"
 10215 "Mozilla/5.0"

As can be seen, KF 5.86 is still by far the dominant group, along with
Mozilla/5.0 (which means these end user systems are running Frameworks
prior to 5.87 - the only reason we see 5.86 is because Ubuntu patched their
packages to include the changes added in 5.87).  Note that this is a legacy
endpoint which clients shouldn't be communicating with, so the above really
should be nil but it appears that updates are starting to take effect for
the other groups as I do recall them being more prevalent previously.

If any distributions currently support versions prior to 5.87 please look
at least into backporting the *.knsrc changes (which are just URL/data
changes - no code) as those will shift the load to our CDN from the main
download.kde.org redirector at least for those users.


>
> Regards,
> Heiko
>

Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/distributions/attachments/20220220/68f67e55/attachment-0001.htm>

More information about the Distributions mailing list