Which applications does the Plasma team recommend to use with Plasma?

Martin Graesslin mgraesslin at kde.org
Tue Jul 5 11:23:58 UTC 2016


On Tuesday, July 5, 2016 3:51:45 PM CEST R.Harish Navnit wrote:
> On Tue, Jul 5, 2016 at 11:36 AM, Martin Graesslin <mgraesslin at kde.org> 
wrote:
> > On Monday, July 4, 2016 10:52:12 PM CEST Thomas Pfeiffer wrote:
> > > On 04.07.2016 18:37, Martin Gräßlin wrote:
> > > > Am 2016-07-04 14:43, schrieb Thomas Pfeiffer:
> > > >> Hi everyone,
> > > >> every now and then, distributions approach us asking which
> > > >> applications they should ship by default with Plasma, or they
> > > >> complain
> > > >> about us not providing such information.
> > > >> Although the Plasma team of course does not have to provide such
> > > >> information, it may still be helpful also for us because we can try
> > > >> to
> > > >> make sure that these applications work well in Plasma.
> > > >> Choosing such applications is not an easy task, but to get things
> > > >> started, a group of people who were stranded in Bielefeld waiting for
> > > >> their trains after a meeting sat together to come up with an initial
> > > >> suggestion. Here is the result:
> > > >> 
> > > >> File manager: Dolphin
> > > >> Music player: Cantata
> > > > 
> > > > I think Cantata is unsuited as it requires an mpd running. Given that
> > > > it's
> > > > out of scope for simple usage.
> > > 
> > > Have you set up Cantata lately? Yes, it requires mpd, but it sets one up
> > > all by itself if you don't have one.
> > > You tell it where your library is and it does the rest, not more
> > > complicated than any other music player.
> > > We would not have included it in this list if it required setting up mpd
> > > manually.
> > 
> > ok, but that's then something which needs to be pointed out to
> > distributions that they set up the packaging correctly.
> > 
> > > >> Document viewer: Okular
> > > > 
> > > > Here we need to be careful given that there is no release based on Qt
> > > > 5
> > > > (note that some distros ship with it but master has a terrible and
> > > > annoying warning in your face dialog about that) and Qt 4 is EOL.
> > > > Given
> > > > that viewing pdfs is something which has been exploited in the past
> > > > and
> > > > is network attackable in worst case, I think it's not a good choice.
> > > > As
> > > > long as there is no Qt5-maintained release I would say it needs to be
> > > > evince or none.
> > > 
> > > This is a difficult issue, then. Is there any way we can help Albert
> > > with
> > > finishing the Qt5 port? Not
> > > having a well-integrated PDF reader is not a good situation to be in. Of
> > > course the same is true
> > > for the other areas where we don't recommend anything, but it feels like
> > > Okular would be the
> > > easiest to get to a point where it could be recommended.
> > 
> > I don't know if there is a way to help with the port. After having seen
> > the
> > in-your-face warning I had a feeling that running the dev build is
> > discouraged by the Okular developers. That makes it difficult to help as
> > not even bug reports are wanted (given the in-your-face dialog). But we
> > two already discussed that in private.
> > 
> > > >> Software center: Discover
> > > >> Communication: Konversation, KDE Telepathy (cautiously, because while
> > > >> it works well at the moment, it is also looking for a maintainer)
> > > >> Password storage: KWalletmanager, kwallet-pam
> > > > 
> > > > While KWalletmanager gives a good integration in some KDE applications
> > > > it's
> > > > nothing I would recommend as a wallet manager. It is not well
> > > > integrated
> > > > into Plasma, it is not secure, it has a terrible first run experience
> > > > with recommending to use a GPG key and then telling you that you don't
> > > > have one and does not have any concept of synchronization. In the area
> > > > of
> > > > password storage there are way better solutions available in the FLOSS
> > > > world
> > > 
> > > I agree, KWalletmanager as it is now is _not_ a good password manager.
> > > The
> > > reason why we
> > > integrated it in that list is that things like Plasma-NM only work
> > > automatically with KWallet, so
> > > there is not really a way around that, and KWalletManager is the only
> > > practical to see or remove
> > > passwords stored in KWallet.
> > > The situation with KWallet is a huge problem for Plasma, which has to be
> > > solved. KSecretService would have been the solution, but unfortunately
> > > Valentin has no more time to
> > > work on it.
> > > There are various solutions for this problem, but we have to take one,
> > > and
> > > we do need some
> > > form of keyring to store things like wifi keys in an encrypted store.
> > > 
> > > I will open a separate thread for this issue, as it's too big to be
> > > discussed within this thread.
> > 
> > sounds like a good idea to start a new thread about that.
> > 
> > > >> Hardware support: Skanlite, Print manager
> > > >> Utilities/system tools: KCalc, KDE Connect, Konsole, KSysguard, Kate,
> > > >> Kamoso (if a distro wants to ship a webcam app at all)
> > > >> Office suite: We do not recommend one at the moment
> > > >> Pim suite: We do not recommend one at the moment.
> > > >> Browser: We do not recommend one at the moment
> > > > 
> > > > for browser I would turn the recommendation the other way: let's
> > > > explicitly
> > > > recommend to not use any of the Qt browsers.
> > > 
> > > I've heard people using e.g. QupZilla as their daily browser and not
> > > being
> > > unhappy with it. I don't think it's at a state where I'd explicitly
> > > recommend it, but it's not so bad that I'd recommend _against_ it.
> > 
> > And from a security perspective?
> 
> Are there any known security flaws with Qt browsers ? I just tried out
> QupZilla and I really like it. The interface is neat and it's not
> taking much memory either. I'm really enjoying it to be honest. But
> what I don't know is, how secure it is ?
> 
> I'm just being curious here. I'm definitely tilting towards wanting to
> use QupZilla on a daily basis, and would be glad to receive any
> heads-ups before I take the plunge :-)

The problems as I see it, is that I don't trust Qt to update when there are 
security issues. That's based on how long we had to wait for Qt 5.6.1. I just 
tried to figure out which issues in QtWebEngine were fixed in 5.6.1, but that's 
not possible. The changelog ( https://code.qt.io/cgit/qt/qtwebengine.git/tree/
dist/changes-5.6.1?h=5.6.1 ) does not list them. It only says it's up to ...
2704.63. So are the issues mentioned in https://
googlechromereleases.blogspot.de/2016/06/stable-channel-update_16.html fixed or 
not? And what about those in https://googlechromereleases.blogspot.de/2016/06/
stable-channel-update.html ?

That's the problem I see with Qt based browsers - I don't think the Qt team is 
up to the task of doing timely security fixes for their software. Also caused 
by Qt's release model of releasing all together. QtWebEngine would need 
updates whenever chromium updates.

I'm writing that with my security hat on and not with my I would like to see 
Qt applications hat.

Cheers
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20160705/aeca49ab/attachment-0001.sig>


More information about the Plasma-devel mailing list