Upcoming KDE 4.4 vs. Bug #162485 (no suitably sufficient SSL/TLS support)

Matthias Andree matthias.andree at gmx.de
Fri Jan 8 21:41:25 CET 2010 

Am 08.01.2010, 17:22 Uhr, schrieb Sebastian Kügler <sebas at kde.org>:

> Hi Matthias,
>
> Thanks for contacting the KDE team.
>
> On Friday 08 January 2010 15:12:13 Matthias Andree wrote:
>> I need help finding out who is responsible release manager for KDE 4.4,
>
> KDE's releases are managed by the release-team, a group of people from  
> various areas
> that package, test and release the software. You can reach the Release  
> Team at
> release-team at kde.org. I've added this mailing list to the CC:.

Thank you.

>> as I need to bring bug #162485 to his attention; there have even been
>> sponsorship offers. Please provide me with relevant e-mail addresses or
>> names of people, or a suitable mailing list. See
>> https://bugs.kde.org/show_bug.cgi?id=162485 for details.
>
> This bug has indeed my attention, and as you note, it is a concerning  
> one. The
> problem is, however, until anybody comes along and writes the code, even  
> sponsorship
> requests don't help.

There have been third-party offers in the bug report.

> Maybe contacting a company that can help here with the available funds  
> would be the
> way to go? At least that could help solving the "have money, need  
> feature"-problem.
> There are some companies around that have done contracted work on KDE in  
> the past.

The problem - to me - seems to be that showstopper bugs aren't stopping  
the KDE show to gain the necessary attention, and KDE isn't suitable for  
users who cannot work around the issue and add the trusted SSL  
certificates manually.

I'd say deferring the release until it has the critical features might get  
the necessary attention, and possibly distributors such as Red Hat,  
Novell, or Mandriva might delegate their staff. Mark Shuttleworth (Ubuntu)  
also offered help to other projects in the "On Cadence and Collaboration"  
discussion a few months ago.

>> KDE 4.X has always been lacking functioning SSL/TLS certificate
>> management, and thus many sites are migrating away from KDE to GNOME,
>> and KDE is unusable now that 3.x is de-facto unmaintained and 4.x only
>> works with unencrypted connections.
>
> As far as I know, basic SSL support actually works in many cases. It's  
> the
> certificate management that's lacking. I might not understand this well  
> enough, this
> is what I've got from recent discussions (the one Richard Bos summarizes  
> in the bug-
> report).

Agreed on the "SSL works, but no Cert' management available" - there used  
to be mock-up dialogues that were sort of design previews, and I've seen  
them standalone as crypto kcmshell, and in Kleopatra, but I fail to  
understand why there are now four KDE releases with a fifth imminent, that  
lack an essential feature, and there isn't even a workaround of - for  
instance - looking into the default OpenSSL /etc/ssl/certs/ directory, or  
workaround instructions for distributors.

> What we're dealing with here, is a complex and unfortunate situation. An  
> important
> feature in our network stack is incomplete, and we haven't been able to  
> find someone
> to work on this. This is something that can (and does) happen in  
> volunteer-driven
> software projects, though. Additionally, SSL code is usually pretty  
> complex, so those
> that understand it well enough, and can implement such a feature are  
> relatively rare
> and often already very busy.

I understand the resource issue, but that's not an excuse to pretend  
everything were in perfect order. The earlier 4.X releases were flagged as  
sort-of tech previews, but the later ones were announced as stable and  
suitable for production use, when they were not.

Perhaps lessons can be learnt from how the Debian project deals with "RC"  
(release critical) bugs.

At the very least, the bug should be upgraded to critical by someone with  
sufficient Bugzilla privileges and there should also be a public request  
for help with such critical features, and whom skilled people could  
contact should they have interest.

I'm not skilled enough with Qt and KDE so I cannot offer coding help  
myself, I am also behind on my own projects, notably fetchmail and  
leafnode.

I think a publicly visible call for help, or bug stomping fests, or more  
rigid "no new features accepted before bugs a b c n m are resolved"  
schemes might sell KDE contributors and large-scale users (thing  
distributors) a hint that there's something essential missing from KDE  
that needs help that cannot be provided by the project itself.

I'm looking forward to the first KDE 4.X release that will feature proper  
certificate management...

-- 
Matthias Andree

More information about the release-team mailing list