FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Desktop

LinkBack Thread Tools
Old 11-29-2011, 06:22 PM
Bill Nottingham
Default Disable/remove "libsocialweb-core"

"Jˇhann B. Gu­mundsson" (johannbg@gmail.com) said:
> On 11/29/2011 04:50 PM, Bill Nottingham wrote:
> > rpm -e --nodeps
> >
> > (when in doubt, try the obvious thing.)
> Perhaps your solution to solve all your problems is with "rpm -e
> --nodeps $foo" then eat what breaks for breakfast but rpm -e --nodeps
> is not something I can recommend to novice end users not even as a
> workaround around for this nor is this something would ever propose to them.

The query was '[your] gnome-shell', not any random novice user. There are
a variety of solutions that are appropriate for a short term local fix
that aren't relevant for wider distribution. (There was one in the
referenced bug as well.)

In any case, if your reaction to a single unintentional bug in one
upstream component is to wax profoundly about upstream project directions
and the future of the desktop... step back from the computer and take a few
deep breaths. As much fun as rousing the rabble might be.

(Well, two unrelated bugs, but still...)

desktop mailing list
Old 11-29-2011, 06:23 PM
Peter Robinson
Default Disable/remove "libsocialweb-core"

2011/11/29 "Jˇhann B. Gu­mundsson" <johannbg@gmail.com>:
> On 11/29/2011 10:59 AM, drago01 wrote:
>> 2011/11/29 "Jˇhann B. Gu­mundsson"<johannbg@gmail.com>:
>>> On 11/29/2011 01:19 AM, Peter Robinson wrote:
>>>> 2011/11/29 "Jˇhann B. Gu­mundsson"<johannbg@gmail.com>:
> <snip>
>>> Good that CVE-2011-4129 is fixed however I still would like to
>>> disable/remove this all together since I have no interest at all having
>>> my desktop making arbitrary connections and feeding social network sites
>>> what I am doing on the computer behind my back.
>> It does not do that.
> Well apparently this one did as in that gave Twitter information on
> every successful Fedora 16 user login to gnome shell in default
> installation initiating unasked and silent transaction with twitter
> without the user consent and no obvious way to disable it, done over an
> non verified ssl connection leaving it vulnerable to mitm attack as
> Henrik mentions on the CVE.

Firstly it didn't give twitter any information what so ever. It
attempted to authenticate without an account configured so it sent
blank details. The bug in libsocialweb was the fact that it even tried
to authenticate when an account wasn't configured. There was a second
bug in librest where it didn't verify the ssl connection. This has
been fixed as well so with the update MITM issues should be gone, and
without an account configured it won't even be attempted.

> So whether it did or did not is irrelevant since the risk of application
> leaking private information such as you contacts list phone numbers,
> email addresses chat contacts or as little as to simply if you are
> logged then ofcourse at the same time your location etc. to online
> social networking sites for harvesting and further user profiling or to
> some unknown location that has hijacked your connection is at hand.

Its a failed auth attempt to a https server its not secretly uploading
all your contact information or location.

> For you that might not matter but to my clients,my family and my friends
> it does thus again how can I disable/remove "libsocialweb-core" so I can
> reduce the risk/prevent applications from "accidentally" doing that?

Without you configuring your account details in there its not actually
possible for it to do that.

> But given that nobody seems to be able to answer the question on how to
> disable/remove it which indicates that the ability to do that does not
> exist, does upstream Gnome keep an list of application that are using
> "libsocialweb-core" so relevant application can be replaced and
> recommended with alternatives that do not use "libsocialweb-core" to
> better maintain their desktop privacy?

The way to disable or remove it is the same for any package that is
dependency in Fedora. Recompile dependant packages without it if you
don't like the compile options. I believe the only dependency in this
case is folks.

> Seriously are we heading the way with Gnome that the Fedora users now
> have to grant "Permissions" similar to [1] with each Fedora "Default"
> installation for the applications that come with it...

No, you can just disconnect your network cable is you dislike it that
much. It was a pair of bugs in applications, they happen, they have
now been fixed, its really not the conspiracy theory that its being
made out to be. There's likely a lot worse around if your audit the
millions of lines of code that make up Fedora.


desktop mailing list

Thread Tools

All times are GMT. The time now is 05:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org