KDE 3.1: delayed

Dirk Mueller mueller at kde.org
Thu Dec 5 23:44:24 GMT 2002 

Hi, 

The KDE 3.1 release has to be delayed further. Here is why. 

On November 26th, we've been notified by FozZy from the "Hackademy 
Audit Project" about security problems in KDE. They can, after user 
interaction, cause unwanted execution of commands with the
privileges of the user who runs KDE. We fixed those on the same day and 
updated the "hopefully final" KDE 3.1 tarballs. Unfortunately, it was 
becoming clear after a quick search in the KDE CVS that the 
problematic code is repeated in many places and in many variations. 

Yesterday, on the targetted announcement date of KDE 3.1, Waldo and I 
realized that while we only had audited maybe 30% of the code yet, we have 
found enough occasions for them to be a big showstopper.

A short query on the packagers mailinglist showed that for the majority 
there is no big pressure on having a KDE 3.1 to be released 
according to the schedule. I'm considering a 3.1 with known security bugs a 
no-go anyway, even though we first thought that those are minor that the fix 
can wait for 3.1.1, I no longer think that this is the case.

Waldo, George, Lubos and I think that we can finish the audit by middle/end
of next week. This however brings us in a bad position: its unlikely that we
get many binary packages so short before christmas holidays, which means 
that KDE 3.1 would go out, if released this year, probably with few or 
none binary packages at the announcement date. 

So, to sum up, we have two options:

a) Try to finish ASAP and try to get it out before christmas. December
   12 could be a good tagging date.

b) Take the time and schedule for a release next year. Something around
   January 8, 2003 sounds like a good candidate (tagging date,
   announcement rougly a week later)

I neither like any of them, but I prefer to go with b), as it also allows
for other bugs which have been reported to be fixed. For an impression just 
have a look at the lately steadily rising open bug count on 
http://bugs.kde.org/. 

In any way I'll tar up and release the current 3_1_BRANCH as 3.1RC5 in a few 
hours. Many fixes for the above mentioned security problems are in there, 
but there are still big chunks of code and patches pending for review. There 
will be no binary packages as those which were made during the last week 
refer to be "KDE 3.1 final" and are anyway not up to date. 

As soon as the code review is finished we will have to release updates for 
KDE 3.0.x (and at least patches for KDE 2.x) anyway. 

Comments, opinions, suggestions, flames welcome. 


Dirk

More information about the kde-core-devel mailing list