#961129 xscreensaver should not search for screensaver executables in PATH

Package:
xscreensaver
Source:
xscreensaver
Description:
Screensaver daemon and frontend for X11
Submitter:
Andrew Gallagher
Date:
2022-03-24 05:09:03 UTC
Severity:
important
#961129#5
Date:
2020-05-20 12:46:02 UTC
From:
To:
Dear Maintainer,

Ever since I installed the magic-wormhole package, I have noticed that xscreensaver occasionally throws an error on the screen as follows:

```
Usage: wormhole [OPTIONS] COMMAND [ARGS]...
Try "wormhole --help" for help.

Error: no such option: -r
```

Luckily, invoking magic-wormhole with invalid options does not result in anything dangerous happening, but it raises the question whether potentially dangerous unintended behaviour is possible.

I believe this happens because xscreensaver is searching for known screensaver binaries, and finding `wormhole` in the PATH it blindly assumes that this is the `wormhole` from xscreensaver-data-extra, but it is not installed.

xscreensaver SHOULD search for screensavers only in /usr/lib/xscreensaver, where other packages are expected to install them. Any other executable on the PATH which may happen to have the same name as a known screensaver MUST NOT be invoked, as this may result in unintended behaviour.

Beware for example that `zoom` is the name of a known screensaver. I am glad that I do not have xscreensaver and zoom.us installed on the same machine. :-)

Andrew.

#961129#10
Date:
2020-05-21 20:51:53 UTC
From:
To:
Thanks for the report, this has been discussed in bug #816722 as well.

Tormod

#961129#15
Date:
2021-10-06 21:35:18 UTC
From:
To:
Well, my kid does, and since he didn't notice the XScreenSaver error
about the missing binary, I had an interesting experience of tracking
down the root cause of malware-like behavior manifested by the above
bundle.

#961129#20
Date:
2021-10-06 21:52:29 UTC
From:
To:
Actually, the proprietary zoom silently ignores all(?) unrecognized
options, so I'm not even sure there were any visible indicators of the
issue besides the unexpected zoom icon in systray.

#961129#25
Date:
2021-10-12 11:53:45 UTC
From:
To:
I agree to "xscreensaver SHOULD search for screensavers only in
/usr/lib/xscreensaver, where other packages are expected to install
them", with the exception to allow users to specify a full path in
their xscreensaver config, in case they want to use something
installed elsewhere. There were objections to this also though, but I
guess one cannot please them all.

Tormod

#961129#30
Date:
2021-10-12 17:05:23 UTC
From:
To:
Well, you're wrong, and I'm not going to do that.

The fix is *simple and obvious*, make there be ONE xscreensaver installer package instead of FIVE -- one that installs *all* of XScreenSaver instead of only bits and pieces and expecting that to still work.

I cannot comprehend why you continue to refuse to implement this trivial fucking fix.

#961129#35
Date:
2021-10-13 11:36:31 UTC
From:
To:
Please behave when using the Debian forums.

I was obviously talking about what to do in the Debian package, not
upstream. I think it makes sense for us to not blindly pick whatever
is in the user's PATH. And we will eventually get to reunifying the
packages, it is a bit more work though due to assuring all kinds of
version upgrade paths will work smoothly and coordination with other
packages that might use and depend on these packages.

#961129#40
Date:
2021-10-13 14:57:43 UTC
From:
To:
So was I.

I was discussing *your* decisions that make *my* program malfunction for *my* users, and cause more work for *me*, the author and maintainer.

You are absolutely 100% wrong. Do not make this change. Many things will malfunction. Do not make the mistake of forking my program even more than you already have. That does not go well for any of us.

#961129#45
Date:
2021-10-14 16:26:56 UTC
From:
To:
I can see the argument for allowing the hacks to be installed without the XScreenSaver daemon, in case some other screen saver framework wanted to run them (do any of the other frameworks still support that? I don't think so?)

However, if the XScreenSaver daemon is installed, then *all* of XScreenSaver must be installed, or else you get the "zoom" problem and related.

That is how it was designed, and that is how it was tested. Trying to install bits and pieces of it and hoping it still holds together demonstrably does not work.

#961129#50
Date:
2022-03-24 04:59:04 UTC
From:
To:
It has been another 5 months with no response.

I am once again *begging* you to stop making it possible to install only *part* of XScreenSaver. It causes a constant stream of problems for no benefit.

Please, please, please, install the dependencies so that installing any part of XScreenSaver installs *the entire program* as I have designed and tested it.

This requires only a one line change to your dependency list. Your continued refusal to do this keeps causing problems for everybody, including me.