Given that I've noticed that "libsocialweb-core" is very keen on speaking to "r-199-59-148-87.twttr.com" A.K.A twitter on port 443 without me as little as have configured twitter account let alone having any "online accounts" configured in Gnome which makes one wonder what the hell they are chatting about I would very much like to know how I can disable it all together since I cant remove this from my computer without removing gnomeshell along with it.
Any particular reason why this was not designed to be an extension/addon/plugin to Gnome3?
Thanks JBG
2011/11/29 "Jóhann B. Guðmundsson" johannbg@gmail.com:
Given that I've noticed that "libsocialweb-core" is very keen on speaking to "r-199-59-148-87.twttr.com" A.K.A twitter on port 443 without me as little as have configured twitter account let alone having any "online accounts" configured in Gnome which makes one wonder what the hell they are chatting about I would very much like to know how I can disable it all together since I cant remove this from my computer without removing gnomeshell along with it.
The chatting with twitter issue should be fixed with the 0.25.20 release.
Peter
On 11/29/2011 01:19 AM, Peter Robinson wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
Given that I've noticed that "libsocialweb-core" is very keen on speaking to "r-199-59-148-87.twttr.com" A.K.A twitter on port 443 without me as little as have configured twitter account let alone having any "online accounts" configured in Gnome which makes one wonder what the hell they are chatting about I would very much like to know how I can disable it all together since I cant remove this from my computer without removing gnomeshell along with it.
The chatting with twitter issue should be fixed with the 0.25.20 release.
Good that CVE-2011-4129 is fixed however I still would like to disable/remove this all together since I have no interest at all having my desktop making arbitrary connections and feeding social network sites what I am doing on the computer behind my back.
Thanks Jóhann B.
2011/11/29 "Jóhann B. Guðmundsson" johannbg@gmail.com:
On 11/29/2011 01:19 AM, Peter Robinson wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
Given that I've noticed that "libsocialweb-core" is very keen on speaking to "r-199-59-148-87.twttr.com" A.K.A twitter on port 443 without me as little as have configured twitter account let alone having any "online accounts" configured in Gnome which makes one wonder what the hell they are chatting about I would very much like to know how I can disable it all together since I cant remove this from my computer without removing gnomeshell along with it.
The chatting with twitter issue should be fixed with the 0.25.20 release.
Good that CVE-2011-4129 is fixed however I still would like to disable/remove this all together since I have no interest at all having my desktop making arbitrary connections and feeding social network sites what I am doing on the computer behind my back.
It does not do that.
On 11/29/2011 10:59 AM, drago01 wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
On 11/29/2011 01:19 AM, Peter Robinson wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
<snip>
Good that CVE-2011-4129 is fixed however I still would like to disable/remove this all together since I have no interest at all having my desktop making arbitrary connections and feeding social network sites what I am doing on the computer behind my back.
It does not do that.
Well apparently this one did as in that gave Twitter information on every successful Fedora 16 user login to gnome shell in default installation initiating unasked and silent transaction with twitter without the user consent and no obvious way to disable it, done over an non verified ssl connection leaving it vulnerable to mitm attack as Henrik mentions on the CVE.
So whether it did or did not is irrelevant since the risk of application leaking private information such as you contacts list phone numbers, email addresses chat contacts or as little as to simply if you are logged then ofcourse at the same time your location etc. to online social networking sites for harvesting and further user profiling or to some unknown location that has hijacked your connection is at hand.
For you that might not matter but to my clients,my family and my friends it does thus again how can I disable/remove "libsocialweb-core" so I can reduce the risk/prevent applications from "accidentally" doing that?
But given that nobody seems to be able to answer the question on how to disable/remove it which indicates that the ability to do that does not exist, does upstream Gnome keep an list of application that are using "libsocialweb-core" so relevant application can be replaced and recommended with alternatives that do not use "libsocialweb-core" to better maintain their desktop privacy?
Seriously are we heading the way with Gnome that the Fedora users now have to grant "Permissions" similar to [1] with each Fedora "Default" installation for the applications that come with it...
Regards JBG
1.
As can be seen on permission page for the facebook android application page the all so popular social networking site which I assume majority if it's user base blindly accepts and installs simply cause it does not know better...
https://market.android.com/details?id=com.facebook.katana&feature=search...
On Tue, 2011-11-29 at 12:52 +0000, "Jóhann B. Guðmundsson" wrote:
For you that might not matter but to my clients,my family and my friends it does thus again how can I disable/remove "libsocialweb-core" so I can reduce the risk/prevent applications from "accidentally" doing that?
You're taking an instance of a bug and claiming it's a fundamental design pattern.
Perhaps you shouldn't.
- ajax
On Tue, 29 Nov 2011 09:34:37 -0500 Adam Jackson wrote:
On Tue, 2011-11-29 at 12:52 +0000, "Jóhann B. Guðmundsson" wrote:
For you that might not matter but to my clients,my family and my friends it does thus again how can I disable/remove "libsocialweb-core" so I can reduce the risk/prevent applications from "accidentally" doing that?
You're taking an instance of a bug and claiming it's a fundamental design pattern.
Perhaps you shouldn't.
Well to me it seems more like he's:
1. questioning why is this lib an integral part of gnome shell while it obviously just adds an add-on-like functionality; and
2. asking how to get rid of it in a way that would leave his gnome-shell working and still not put his personal info into danger in case another similar bug in this lib appears in the future.
Cheers, Martin
On 11/29/2011 02:45 PM, Martin Sourada wrote:
On Tue, 29 Nov 2011 09:34:37 -0500 Adam Jackson wrote:
On Tue, 2011-11-29 at 12:52 +0000, "Jóhann B. Guðmundsson" wrote:
For you that might not matter but to my clients,my family and my friends it does thus again how can I disable/remove "libsocialweb-core" so I can reduce the risk/prevent applications from "accidentally" doing that?
You're taking an instance of a bug and claiming it's a fundamental design pattern.
Perhaps you shouldn't.
Well to me it seems more like he's:
- questioning why is this lib an integral part of gnome shell while
it obviously just adds an add-on-like functionality; and
- asking how to get rid of it in a way that would leave his
gnome-shell working and still not put his personal info into danger in case another similar bug in this lib appears in the future.
Yes thanks Martin that's exactly what I meant.
Regards JBG
"Jóhann B. Guðmundsson" (johannbg@gmail.com) said:
- asking how to get rid of it in a way that would leave his
gnome-shell working and still not put his personal info into danger in case another similar bug in this lib appears in the future.
Yes thanks Martin that's exactly what I meant.
rpm -e --nodeps
(when in doubt, try the obvious thing.)
Bill
On 11/29/2011 04:50 PM, Bill Nottingham wrote:
rpm -e --nodeps
(when in doubt, try the obvious thing.)
Perhaps your solution to solve all your problems is with "rpm -e --nodeps $foo" then eat what breaks for breakfast but rpm -e --nodeps is not something I can recommend to novice end users not even as a workaround around for this nor is this something would ever propose to them.
An equally drastic measure would be to "chmod 0 /usr/lib64/libsocialweb/services/*" and ask them to remove/replace empathy,evolution, gnome contacts etc. with something else.
Arguable it's an bit of an hefty price to pay having people to stop using application they have grown custom to use ( let alone just after they are/have been growing custom to Gnome shell in general ) to ensure their privacy because this was not design to be an extenstion/addon to those gnome shell/applications in the first place or because of an lack of an heavy off switch that disables the social networking feature alltogether and ensures at the same time that application dont/cant accidentally leak your data to some social networking site due to an bug or some other issue.
If Gnome has reach that point that it no longer can ensure peoples privacy in application it's ships with and an bug might "accidentally" leak it's data silently to some online social networking site for others to harvest arguable then they might just be better off switching to something else and we to another default at the same time.
If such an proposal was up for Fedora's user base to vote upon I'm pretty sure Gnome as an default desktop might not fair as well as one might think.
Ofcourse I could be wrong and it would reassure it's position as the dominating default amongst Fedora's user base and the only way to find out would be to actually allowing user to cast a vote on a such proposal.
Personally I think it's just best left up to an browser to chase every social networking site that pops up and exist out there instead of trying to integrate and playing that game in the desktop itself.
Thanks JBG
On Tue, 2011-11-29 at 11:50 -0500, Bill Nottingham wrote:
"Jóhann B. Guðmundsson" (johannbg@gmail.com) said:
- asking how to get rid of it in a way that would leave his
gnome-shell working and still not put his personal info into danger in case another similar bug in this lib appears in the future.
Yes thanks Martin that's exactly what I meant.
rpm -e --nodeps
(when in doubt, try the obvious thing.)
Sabotaging the distribution's package management system really is not a reasonable solution to anything.
I have to say I share Johann's concerns to some degree. It's quite difficult to see why GNOME is going in this direction of considering IM / social networking systems to be 'core desktop functionality'. They are not. The fact that lots of people use such things does not, in and of itself, make them necessarily a core part of the desktop.
Looked at from a high-level theoretical viewpoint, twitter and Google+ and facebook and MSN and whatever else are just communication mechanisms - various slightly differently-presented ways of sending messages to other people. Do we build an IRC client into Shell next? An email client? Usenet? Did we build an IRC client or email client into the GNOME 1 or GNOME 2 shells, when those communication methods were in vogue? Those are also just different takes on the basic idea of 'intra-personal text-based communication'. Designing a desktop around the precise format of whatever communication method happens to be in vogue at the time you design it looks like an excellent way to engineer obsolescence, to me.
On Tue, 2011-11-29 at 10:18 -0800, Adam Williamson wrote:
I have to say I share Johann's concerns to some degree. It's quite difficult to see why GNOME is going in this direction of considering IM / social networking systems to be 'core desktop functionality'. They are not. The fact that lots of people use such things does not, in and of itself, make them necessarily a core part of the desktop.
The way the dependency works here is that gnome-shell uses the folks library for displaying contacts as search results in the overview. Folks has a frontend-backend abstraction with a number of different backends (for eds, for libsocialweb, for telepathy...). For the purposes of presenting an integrated experience, we are really mostly interested in the eds and telepathy backends, while the libsocialweb one was one that caused this problem... One obvious solution to the 'bad gnome, it doesn't let me uninstall its bits one-by-one' complaint would be to break out the folks backends as subpackages. I expect us to hard-require the eds and telepathy ones in the shell, but the libsocialweb one could easily be an optional add-on.
On Tue, 2011-11-29 at 13:37 -0500, Matthias Clasen wrote:
On Tue, 2011-11-29 at 10:18 -0800, Adam Williamson wrote:
I have to say I share Johann's concerns to some degree. It's quite difficult to see why GNOME is going in this direction of considering IM / social networking systems to be 'core desktop functionality'. They are not. The fact that lots of people use such things does not, in and of itself, make them necessarily a core part of the desktop.
The way the dependency works here is that gnome-shell uses the folks library for displaying contacts as search results in the overview. Folks has a frontend-backend abstraction with a number of different backends (for eds, for libsocialweb, for telepathy...). For the purposes of presenting an integrated experience, we are really mostly interested in the eds and telepathy backends, while the libsocialweb one was one that caused this problem... One obvious solution to the 'bad gnome, it doesn't let me uninstall its bits one-by-one' complaint would be to break out the folks backends as subpackages. I expect us to hard-require the eds and telepathy ones in the shell, but the libsocialweb one could easily be an optional add-on.
That does seem more sensible, yes. I think this isn't just a solution to a complaint you might see as a bit bogus, but sensible engineering: the various service-specific backends to a general-purpose library like folks *should* be modular.
On Tue, Nov 29, 2011 at 6:37 PM, Matthias Clasen mclasen@redhat.com wrote:
On Tue, 2011-11-29 at 10:18 -0800, Adam Williamson wrote:
I have to say I share Johann's concerns to some degree. It's quite difficult to see why GNOME is going in this direction of considering IM / social networking systems to be 'core desktop functionality'. They are not. The fact that lots of people use such things does not, in and of itself, make them necessarily a core part of the desktop.
The way the dependency works here is that gnome-shell uses the folks library for displaying contacts as search results in the overview. Folks has a frontend-backend abstraction with a number of different backends (for eds, for libsocialweb, for telepathy...). For the purposes of presenting an integrated experience, we are really mostly interested in the eds and telepathy backends, while the libsocialweb one was one that caused this problem... One obvious solution to the 'bad gnome, it doesn't let me uninstall its bits one-by-one' complaint would be to break out the folks backends as subpackages. I expect us to hard-require the eds and telepathy ones in the shell, but the libsocialweb one could easily be an optional add-on.
I'm not sure why its actually currently built in at the moment, I don't believe its used for any of the above. In Fedora 16 the only online account that seems to be supported in GOA is google, so while its obviously planned to be used in the future I'm not sure it is actually currently used.
Peter
"Jóhann B. Guðmundsson" (johannbg@gmail.com) said:
On 11/29/2011 04:50 PM, Bill Nottingham wrote:
rpm -e --nodeps
(when in doubt, try the obvious thing.)
Perhaps your solution to solve all your problems is with "rpm -e --nodeps $foo" then eat what breaks for breakfast but rpm -e --nodeps is not something I can recommend to novice end users not even as a workaround around for this nor is this something would ever propose to them.
The query was '[your] gnome-shell', not any random novice user. There are a variety of solutions that are appropriate for a short term local fix that aren't relevant for wider distribution. (There was one in the referenced bug as well.)
In any case, if your reaction to a single unintentional bug in one upstream component is to wax profoundly about upstream project directions and the future of the desktop... step back from the computer and take a few deep breaths. As much fun as rousing the rabble might be.
(Well, two unrelated bugs, but still...)
Bill
2011/11/29 "Jóhann B. Guðmundsson" johannbg@gmail.com:
On 11/29/2011 10:59 AM, drago01 wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
On 11/29/2011 01:19 AM, Peter Robinson wrote:
2011/11/29 "Jóhann B. Guðmundsson"johannbg@gmail.com:
<snip> >> Good that CVE-2011-4129 is fixed however I still would like to >> disable/remove this all together since I have no interest at all having >> my desktop making arbitrary connections and feeding social network sites >> what I am doing on the computer behind my back. > It does not do that.
Well apparently this one did as in that gave Twitter information on every successful Fedora 16 user login to gnome shell in default installation initiating unasked and silent transaction with twitter without the user consent and no obvious way to disable it, done over an non verified ssl connection leaving it vulnerable to mitm attack as Henrik mentions on the CVE.
Firstly it didn't give twitter any information what so ever. It attempted to authenticate without an account configured so it sent blank details. The bug in libsocialweb was the fact that it even tried to authenticate when an account wasn't configured. There was a second bug in librest where it didn't verify the ssl connection. This has been fixed as well so with the update MITM issues should be gone, and without an account configured it won't even be attempted.
So whether it did or did not is irrelevant since the risk of application leaking private information such as you contacts list phone numbers, email addresses chat contacts or as little as to simply if you are logged then ofcourse at the same time your location etc. to online social networking sites for harvesting and further user profiling or to some unknown location that has hijacked your connection is at hand.
Its a failed auth attempt to a https server its not secretly uploading all your contact information or location.
For you that might not matter but to my clients,my family and my friends it does thus again how can I disable/remove "libsocialweb-core" so I can reduce the risk/prevent applications from "accidentally" doing that?
Without you configuring your account details in there its not actually possible for it to do that.
But given that nobody seems to be able to answer the question on how to disable/remove it which indicates that the ability to do that does not exist, does upstream Gnome keep an list of application that are using "libsocialweb-core" so relevant application can be replaced and recommended with alternatives that do not use "libsocialweb-core" to better maintain their desktop privacy?
The way to disable or remove it is the same for any package that is dependency in Fedora. Recompile dependant packages without it if you don't like the compile options. I believe the only dependency in this case is folks.
Seriously are we heading the way with Gnome that the Fedora users now have to grant "Permissions" similar to [1] with each Fedora "Default" installation for the applications that come with it...
No, you can just disconnect your network cable is you dislike it that much. It was a pair of bugs in applications, they happen, they have now been fixed, its really not the conspiracy theory that its being made out to be. There's likely a lot worse around if your audit the millions of lines of code that make up Fedora.
Peter
Peter
desktop@lists.stg.fedoraproject.org