I would like Debian to stop shipping XScreenSaver

If any of you reading this have decision-making ability along those lines, I would appreciate your assistance in making this happen.

If you're wondering why: they are still shipping a version of my software that I released in 2014. Since that's a roughly a decade in software years, it recently began popping up a single warning dialog when it launches, imploring the user to upgrade. The comment in the source code justifying this action reads:

/* If you are in here because you're planning on disabling this warning before redistributing my software, please don't.

I sincerely request that you do one of the following:

1: leave this code intact and this warning in place, -OR-

2: Remove xscreensaver from your distribution.

I would seriously prefer that you not distribute my software at all than that you distribute one version and then never update it for years.

I am constantly getting email from users reporting bugs that have been fixed for literally years who have no idea that the software they are running is years out of date. Yes, it would be great if we lived in the ideal world where people checked that they were running the latest release before they report a bug, but we don't. To most people, "running the latest release" is synonymous with "running the latest release that my distro packages for me."

When they even bother to tell me what version they're running, I say, "That version is three years old!", and they say "But this is the latest version my distro ships". Then I say, "your distro sucks", and they say "but I don't know how to compile from source, herp derp I eat paste", and everybody goes away unhappy.

It wastes an enormous amount of my time, and kind of makes me regret ever having released this software in the first place.

So seriously. I ask that if you're planning on disabling this obsolescence warning, that you instead just remove xscreensaver from your distro entirely. Everybody will be happier that way. Check out gnome-screensaver instead, I understand it's really nice.

Of course, my license allows you to ignore me and do whatever the fuck you want, but as the author, I hope you will have the common courtesy of complying with my request.

Thank you!

jwz, 2014

*/

To the surprise of nobody, many of the people commenting on the Debian bug report take the attitude of, "Well if it's legal to do something, then it must also be right to do it", and want to distribute an altered version of my software against my explicit wishes.

As I said above, I'd really rather they not do that. I'd rather they not distribute it at all.

("Upgrade the software more often than every several years" is apparently an option they won't even countenance, but that's neither here nor there. Though in case you were wondering whether there have been serious bugs fixed since 2014 -- security-related bugs -- the answer is yes.)

The issue here is taking advantage of a creator's work, ignoring their wishes, and giving nothing back in return. That's just lame.

Previously, previously, previously, previously.

Tags: , , , , , , ,

312 Responses:

  1. Shevek says:

    Ouch... Mint has v5.15 from 2011

    • Just 'cause I'd literally never heard of a Linux distribution called "Mint", I asked Google. https://www.linuxmint.com/'s description meta tag reads, "Linux Mint is an elegant, easy to use, up to date and comfortable GNU/Linux desktop distribution." (Emphasis mine.)

      • Michael Catanzaro says:

        Last week I got a bug report from a Mint user, complaining about a major, game-breaking bug in a little GNOME desktop game that was fixed two and a half years ago. The user only needed a bugfix-only point release upgrade (from the latest Mint version x.y.z to ancient version x.y.z+1) to get the fix. This upgrade would have fixed multiple major issues.

        I would say the Mint developers are not even trying, but they actually just inherit this mess from Ubuntu.

  2. Jeff Warnica says:

    I'm impressed - scared? - that someone capable of using diff(1) is also someone who I honestly think might swallow their tongue tonight out of shear inability to human.

    We live in a strange world.

  3. ACN says:

    This thread was like waking up in the land of the underpants gnomes.

    Panic about a warning message with no one concerned about the actual security implications...

    • Aigars Mahinovs says:

      There are no security implications - all security fixes have been backported long ago. Mostly within 24 hours of a fix in xscreensaver mainline.

  4. Jason McHuff says:

    Providing no software is better than providing bad software

    • idgas says:

      This and the discussed issue implies this software has to be really, really bad. No matter what, if it's going to be bad in 2 years because of a race condition it definitely has to be bad right now as well.

  5. Michael Aldridge says:

    Nice, that debian bug report was worth a laugh. After some reading of vulns that have been fixed over the years, we chose to pull xscreensaver from all workstations until we can pivot to a newer distro in a few months. Love the software but can't tolerate the security risk. Fortunately in a few months we'll be on Void Linux which consistently follows upstream releases within a few days of posting.

    • osman says:

      You are so ignorant that you must be kidding or trolling. xscreensaver in Debian has no unfixed vulnerabilities.. If you know a specific vulnerability that isn't fixed in Debian please specify it here so they can be informed.

      • Jimbo213Mo says:

        JWZ only distributes the source code - well I'm a newbie to Linux and I don't know how to compile it.

        If JWZ is so brilliant to make XScreenSaver then why isn't he smart enough to create the backup code so the apt-get update/upgrade works? I'd rather FIX the problem than just sudo apt-get remove xscreensaver.

        • BHN says:

          If you genuinely can't look up and figure out enough about local compilation then you probably don't deserve the beauty that is XScreenSaver anyway. ;-)

          • Jim Holstein says:

            No I can't, I'm 67 and "local compilation" is beyond my interest and ability as a DOS guy from years past.
            It appears then - sudo apt-get remove xscreensaver is my solution.

            I still believe if JWZ is smart enough he SHOULD invent the apt-get update/upgrade - or is he just L-A-Z-Y ! ! !

            • BHN says:

              You do not understand.

              • Jim Holstein says:

                Then I humbly [really!] apologize to JWZ for the insult.
                Life is too short to bad-mouth anyone, much less someone this talented.

                It turns out that sudo apt-get update/upgrade is what caused my problems on the Raspian-Jesse, Kodi 15.2 on my RaspberryPi

                I'm going to format the SD card and install OpenElec.
                It is supposed to be easier for the Linux-Challenged.

                Again, apologies to JWZ and to others equally offended.

                • ssl-3 says:

                  "sudo apt get upgrade" are the words of "Expect fuckery in 3...2...."

                  It doesn't matter your age. Or that you're operating on a RaspPi (which is way more capable than my first dozen Linux boxes were).

                  The point is, it's a Debian problem. And Debian should probably either delete the offending code, or actually update it. (It's GPL, IIRC, so they could just remove the warning and most references to JWZ that exist outside of READMEs, but that doesn't really help anything either, and would probably be more work than just taking in a more recent build of xscreensaver.)

                  As for self-compilation, "configure;make;make install" usually does the trick. It does tend to make a mess out of things, but you'll have that when you step outside of a walled garden.

                • Ann On says:

                  Hi!

                  The others bash on you but don't explain: You have no security vulnerability in your version of XScreenSaver. The patches for vulns have been back ported to earlier versions.

                  Google up "back porting" and "semantic versioning" if you are interested in the details.

            • margaret says:

              you say its beyond your interest yet don't respect that solving YOUR frustration in the way prescribe is beyond jwz's interest. (and don't ever use your age as an excuse again, please)

            • fwolf says:

              uhm .. I've started out a DOS guy as well.

              So what's your point, exactly? If you know your DOS, you'd stop complaining and get that

              sudo apt-get build-dep xscreensaver
              ./configure
              make
              sudo checkinstall

              thing done as quick as possible!

              Else you're not a DOS guy, just a fake :P

              cu, w0lf.

              ps: and before you complain - of corpse I tried that out meself. Works like a charm ^_^

              • Susanna says:

                Thanks to fwolf for getting me started. The above comment omitted a couple important steps:

                apt-get source xscreensaver
                cd /usr/src/xscreensaver_5.30

                (or else the ./configure command above isn't found)

                And of course, if you don't patch it you end up down-grading the security. That's why it's important to build a patched debian package:

                apt-get install devscripts
                debuild -b -uc -us (in place of configure and make)
                and install it
                cd /usr/src
                dpkg -i xscreensaver*.deb

                It's also important to fix the bug, which triggers off the source code modification date, so I touched one source code file before starting my debian build command. I have wasted entirely too much time reading this page and the Debian bug report page. I am aware that I will have to touch the source and re-compile annually. It's worth it to me to get rid of the message. I've always enjoyed xscreensaver very much. My suggestion would be to go on vacation, talk to some people who barely know how to use computers, and if you are still very frustrated and annoyed by the bug reports, hand the user support part of the project over to a fresh pair of eyes, somebody who won't be annoyed by it. Users are clueless, of course, that's never going to change. :)

        • FelixRay says:

          >>If JWZ is so brilliant to make XScreenSaver then why isn't he smart enough to create the backup code so the apt-get update/upgrade works?

          I don't think it works that way. This is on the distro maintainers.

          >>well I'm a newbie to Linux and I don't know how to compile it.

          I did a lot of compiling when I was new, and here's the deal. Compiling is easy... except when it isn't. You need to have the necessary development packages,

          apt-get install build essential, download and open the package cd to the directory and

          ./configure
          make
          sudo make install

          That almost always works. When it doesn't, sometimes it's because of dependencies, and then you you go back and install those. Or sometimes, it just doesn't work. A better man would probably know what to9 do, but I'm no pro, and at this point, I usually wind up giving up. Sadly, x-screensaver seems to be one of those exceptions.

          I don't know about anyone else, but for me the appeal is mostly nostalgia. When I first got started with Linux back in 2002, and I didn't know anything, the gorgeous, endlessly surprising xscreenserver was the first sign that I was onto something. I Sooner or later, I guess I'll just have to let it go.

      • Commandhat says:

        You are correct. xscreensaver in Debian has no unfixed vulnerabilities.

        I repeat:

        xscreensaver in Debian.

        What if we consider all unfixed vulnerabilities... you know, the very reason this version of xscreensaver exists?

        • FelixRay says:

          If I've got a big old desktop in my apartment, and I don't need to lock my screen, I'm fine, right?

          • ssl-3 says:

            If your attacker already has access to your apartment, he's probably also kicked your dog and raped your girlfriend and stolen everything easily-fenced that was easy to grab.

            Your leaked data is not on the same page. Is probably not even in the same book.

      • foobar says:

        The amount of ineptitude in Debian's maintenance amazes me...

        How exactly have "all vulnerabilities" been fixed?

        Debian people have the time to go through the xscreensaver code updates with a fine-touthed comb and understand all changesets and their security implications, but would rather not bother updating the whole package -- just continue porting (and patching) their old version?

        Or do they just port hastily any upstream change marked with large red letters as a "security fix", without bothering to understand whether larger refactorings and changes also fix security issues?

  6. Mike Edwards says:

    Welcome to the wonderful world of Linux distros and 'stable releases'. Distros like Debian and RHEL/CentOS typically don't follow upstream updates - they prefer to keep the same working releases the distro's current stable release included. That being said, it's up to the package maintainer to apply patches to fix security vulnerabilities, bugs affecting functionality, etc, sometimes with input from the original software author, but this is generally not a requirement.

    Yep, that means your software will be stale after a while, since Debian and RHEL/CentOS release a new stable version every few years.

    JWZ, your complaint needs to go to the maintainer for Debian's xscreensaver package - in fact, end users who run into bugs should also go to the maintainer, not you. It'd be more than fair for you to point this out to them (assuming you haven't already, and aren't sick of doing so :P ).

    Here's who you need to talk to:

    Package: xscreensaver
    Status: install ok installed
    Priority: optional
    Section: x11
    Installed-Size: 2130
    Maintainer: Tormod Volden
    Architecture: amd64
    Source: xscreensaver (5.30-1)
    Version: 5.30-1+b1

    • Max says:

      Hopefully they are following the debian bugs filed against the package.

    • idgas says:

      Even better, he should become a maintainer as he's the only one having a clue whether any single version of xscreensaver he releases can be marked as stable, conforming to any possible combination of packages and safe to use. If he doesn't have such confidence, he shouldn't tell a single word about how long-running stable distros should work.

  7. Michael Banck says:

    Why don't you provide point releases for security and serious bugs? It's usually not a big deal to get them accepted in Debian stable point releases.

    • jwz says:

      Because going out of my way to comply with their arbitrary requirements is not how I choose to spend my free time. I don't work for them.

      And by requirements I actually mean "articles of faith" or "religious doctrine".

      • Michael Banck says:

        Fair enough, but then you can't complain much that the Debian maintainer doesn't feel like backpatching bugs either. Though security bugs should get addressed by the security team if they are properly published.

        Edit: Oops, I tried to reply to an earlier version of your answer. I don't have anything level-headed to say about your current one.

        • Karl Ramm says:

          Sure he can. Being a Debian maintainer is a responsibility, and responsibility here isn't jwz's.

        • Nwildner says:

          The maintainer doesn't have "to feel". He needs to do what is best to keep things stable.

          It's a twisted point of view to think that security patches will only be addressed if they got server on a silver plate. If this is their way to apply patches and "maintain" things, it's broken.

          • Aigars Mahinovs says:

            All the security fixes have been backported by the maintainer and the security team. There is absolutely no reason to force a newer version of software on people that have explicitly chosen to run a stable distribution. Having unchanging versions of software for 5 or even more years is the whole purpose of the stable releases. And that is exactly what free software is about - empowering the users to use the software as it is best for them and not how it might be best for the developer of that software.

            • foobar says:

              All the security fixes have been backported by the maintainer and the security team.

              And who told you all security fixes are marked as such?

              What a joke...

  8. oxtan says:

    amazing that no one in the bug thread actually considers updating the software to a more modern release. It should not be that big a problem.

    • Adam Barratt says:

      It's entirely missing the point that the main reason for using a stable release is that software _doesn't_ suddenly change under you

      • Joe says:

        I, for one, wouldn't want a change like a bugfix ruining my stable software.

        • Karellen says:

          I know, right? Because you might have some other (in-house?) software that - perhaps accidentally, unknowingly - depends on that non-security bug.

        • Adam Barratt says:

          I'm not talking about bugfixes, rather stuff like:

          "New hacks, splitflap and romanboy."
          "Various OSX and iOS performance improvements."

          None of that is fixing bugs that affect any users of the software on Debian and, even with the most skilled coder in the world, introducing code changes has the potential to add new bugs, including those that might turn out to be security-relevant at some later point in time

          • If you have found yourself in a position where you are defending someone for not fixing actual security bugs because of the possibility of hypothetical security bugs, you may wish to back up and examine the series of choices that led you to this unfortunate place.

            • Kyzer says:

              Here are xscreensaver's security bugs. Not random changes, fun new features and "ooh maybe it's more secure or not, I'm not going to tell, you should just put in every change I made this release just to be sure", but the actual goddamn security bugs.

              That most recent one is CVE-2015-8025. It was disclosed on 2015-10-24, then fixed in Debian stable the next day; the same day that jwz fixed it. Note how nobody involved gives a fuck about new display hacks, the just want the security fix.

              Debian stable is not going to fuck about including all your new features. Yes, it is going to immediately include any real security fixes. So don't talk smack about how Debian should include every little change, every new display hack in xscreensaver or they might miss out on a "security bug". Security bugs are big deals and they're called out individually, they're not solved by upgrading to the latest version and hoping for the best.

              • jwz says:

                You know what's funny? Of the 17 of those CVEs that are less than 12 years old, I recognize exactly two of them. The rest, I've never heard of.

                Oh wait, that's actually not funny. That's the exact opposite of funny.

                Half of them sound like "this bug is probably actually deep within Solaris's PAM stack", but still.

            • Adam Barratt says:

              > If you have found yourself in a position where you are defending someone for not fixing actual security bugs because of the possibility of hypothetical security bugs

              Given the amount of information available to me (despite having asked for more) we're talking about not fixing /hypothetical/ security bugs in code already being shipped because of the possibility of hypothetical security (and other) bugs in code not already being shipped that introduces tens of thousands of lines of new code including multiple new features.

              > you may wish to back up and examine the series of choices that led you to this unfortunate place.

              Any chance we could avoid the ad. hom.? It really doesn't improve the quality of the argument. :(

              • For fuck's sake. "Ad hominem" means "to the man". If I had said "Adam Barrett wears funny hats, it is not worth listening to him", that is an argument ad hominem. If I had speculated that you were being paid by the Debian foundation to argue their case here (note: I am not, this is an intentionally ludicrous example), that also would be ad hominem.

                Snark is not ad hominem. Saying "Adam's argument is wrong and based on false premises" in a snarky way is not ad hominem. Saying "Adam seems strangely reticent about reading the publicly available xscreensaver release notes and is thus speculating incorrectly" may be personally uncomfortable for you to read, but it is still not ad hominem.

                Words, even fancy latin ones that people throw around a lot, have meanings.

                • Adam Barratt says:

                  Fair enough, I clearly misunderstood what you were arguing. Please at least do me the courtesy of spelling my name correctly though. ;)

                  However, your premise is incorrect. I have read https://www.jwz.org/blog/2015/10/xscreensaver-5-34/ , https://www.jwz.org/blog/2015/07/xscreensaver-5-33/ and https://www.jwz.org/blog/2014/11/xscreensaver-5-31/ (I failed to find an entry for 5.32, if I simply missed it then pointers welcome).

                  Amongst those, the things that sound like they might be security relevant are CVE-2015-8025 in 5.34 (unnamed in the blog post), which is fixed in 5.30+deb8u1, and CVE-2014-1949 in 5.31, which appears to be a GTK3 bug; the 5.30 package is Debian is built against GTK2 so not affected afaics.

                  This isn't a case of me not reading or not wanting to do so. I'm not uncomfortable, I'm frustrated. I don't subscribe to the "any bug fix in xscreensaver is automatically an important security fix" theory and am trying to work out what I'm missing.

                  • Ann On says:

                    I think you're missing that debian /stable/ will not incorporate new features, but /will/ incorporate security fixes.

            • osman says:

              > you are defending someone for not fixing actual security bugs

              If you know a specific vulnerability that Debian hasn't fixed yet in xscreensaver packages they are distributing, please explicitly tell it here. Otherwise you are just bullshitting

        • oxtan says:

          I, for one, would not like to have to support bugs in your 'ancient' distribution that have been fixed by my stable software because you think you have a right to mark anything as 'stable'.

          • Adam Barratt says:

            Then it's just as well that no-one's asking you to (and no-one's asking jwz to, either)

            • oxtan says:

              apparently they are, otherwise he would not have put the warning.

              • Adam Barratt says:

                sigh Let me rephrase that then.

                Debian is not asking him to, which was the implication of your original comment.

                (Also Debian didn't say that version of xscreensaver is "stable", it said the Debian distribution that it is shipped as part of is.)

                I suspect this discussion has drifted sufficiently far from wanting to do anything other than rant about how much people dislike Debian however, so I'll save everyone the trouble and leave it there.

                • oxtan says:

                  I do not know about others, but I do not dislike Debian at all. I just think they are wrong about this.

            • darkfader says:

              There's a difference between "not asking someone to do support" and not giving a shit when he end's up with the consequences of the distro's design choice.
              It's Debian's responsibility to think about how to help the upstream author if debian still delivers an outdated bug-ridden version.

              At the very least, and that is something that has probably never happened in this project's history, it is probably to sufficient to simple say:

              "Any approach we take violates some of our goals in this distro. You must be aware that it isn't a common thing, but in your case it's what it is. We don't know how to change this, but we're really sorry for the trouble this is causing you."

              Thinking one is somehow not responsible for indirect consequences of one's decisions is really a very easy way out and extremely disrespectful not just of the person affected here, but of general humanity.

              Just how twisted this is can be guessed from the idea that it's damnable for jwz to write "fuck" and debian getting complaints about that, but ignoring that he ends up with the problems Debian's stable package causes here.

              Really reminds me of people that constantly ignore their peer's feelings and then crying "but i got feelings too" if someone merely speaks up and asks to stop.

              • itbane says:

                >It's Debian's responsibility to think about how to help the
                >upstream author if debian still delivers an outdated bug-ridden version.

                And thats the problem: the debian version is NOT bug-ridden. Bugfixes that are relevant to the security (e.g. have a CVE) are being backported to the old version. This is done by the maintainer of the debian package and not by the upstream author of the software. So what help should be provided? Debian asks nothing from the author.

                Debian is built that way for a reason. You don't like it, you don't use it. Fine. Nobody bullies you into using debian (well, maybe your employer, but that's not what this is about). But stop bitching about something you don't uinderstand.

                Debian does not accept upstream patches containing other things than bugfixes in its stable version not because nobody wants new features or thinks their not stable, but because of CHANGES that come with them. Most debian environments contain hundreds if not thousands of systems. Patches are applied daily by an automatism, because you can be sure that your config file will work with the next version of the package. Because there can't be a change in syntax.

                Before upgrading to the next stable version you have to look into your software ONCE, adapt your config to the new syntax and roll it out. Because you have a defined state of what has worked before and what will work for the next years.

                But as I said before, if you don't like this concept, don't use Debian.

                This policy is applied to all software in the repositories, whether it's a huge software like apache or packaged python one-liner.

      • MattyJ says:

        What version of libssh does RHEL 7 distribute again?

        'Stable' doesn't mean 'years old' or 'insecure' or any number of other things people mistake the world 'stable' for.

        'Stable' means 'shit ain't broke', and security vulnerabilities mean 'shit is broke'.

        • Joker_vD says:

          Unless your workflow depends on those vulnerabilities being here. Consider a SHA-1 self-signed cert (expired back in 2002) that has since been baked into all of your stuff. So if one day your OpenSSL-dependent third-party software stops trusting this cert, well, is this now "shit finally ain't broke"?

          • PDP says:

            'shit was always broke but now it is broke in a manner that is visible to the customer'

            but for those times when admitting that broken shit has been papered over for a decade plus would be impolitic, you can also call it "technical debt"

        • Jonathan says:

          Do you mean openssl when you say libssh?

          RHEL7.2 has openssh 6.6.1p1 (released around 2014-03-15); RHEL7.2 came out 4 months ago.

          It has openssl 1.0.1e, from approximately 11 Feb 2013.

  9. Adam Barratt says:

    "Though in case you were wondering whether there have been serious bugs fixed since 2014 -- security-related bugs -- the answer is yes."

    It would help if you would identify them rather than hand-waving. https://www.jwz.org/xscreensaver/changelog.html doesn't mention the word "security" at all in the notes for any of the releases after 5.30 and the one that I know is security-related - "Fixed a crash when hot-swapping monitors while locked" has been fixed in the Debian release that you're moaning about for a few months now.

    • Jeff Warnica says:

      xscreensaver provides security functionality; everything is a security fix.

      • asan110 says:

        "New hacks, splitflap and romanboy."
        "Various OSX and iOS performance improvements."

        These are security fixes? (xscreensaver provides no security functionality on OSX or iOS, by the way).

  10. jwz says:

    Also, stop calling it a "time bomb". It's not a time bomb. It's a warning dialog, presented at startup, that in no way inhibits the normal operation of the software.

    If clicking "Ok" after you reboot is the worst thing that happens to you today, then your Linux experience must be mysteriously charmed.

    • qååp says:

      A "screensaver" in 2016... with CRT's no plasmas around to save...

      I hope they do remove it from Debian. Or at least make it manually installable and drop it from _every_ desktop meta-package. I also hope that Ubuntu, Redhat do the same.

      However I do like xscreensaver-demo as a program that draws pretty pictures on the screen. But I want to watch.

      • Gary van der Merwe says:

        xscreensaver is not just about pretty pictures and saving CRTs. In the X world, screen locking uses a badly thought out and fragile design. xscreensaver provides the least fragile implementation.

        xscreensaver has not been included in any desktop meta-package. Most of the distros use gnome-screensaver (pre gnome-shell 3.6). Anyone using xscreensaver is doing so intentionally.

        • Adam Barratt says:

          "xscreensaver has not been included in any desktop meta-package. Most of the distros use gnome-screensaver (pre gnome-shell 3.6). Anyone using xscreensaver is doing so intentionally."

          That's not entirely accurate, at least on Debian stable (which seems relevant under the circumstances).

          xfce4-session and lxde-core have "recommends" on xscreensaver, so it'll get pulled in on many installations using either of those environments.

          The "kde-standard" meta-package depends on kscreensaver, which in turn depends on xscreensaver via kscreensaver-xsavers.

      • Tet says:

        I still use a CRT...

  11. Rue says:

    I find this interesting. Though, I know quite a tiny bit about developing so forgive me if this is a random question. Though, would there be any technical issues or a problem for you if in like the bug report where they mentioned using a direct Debian url for bugreports in order to mitigate how many you recieve?

    • jwz says:

      Two things. First, in practice, that doesn't work. You google xscreensaver, you find me. Second, even if I just blackholed bug reports against ancient versions, the end user is stil having a problem that was long fixed, and that in itself is something one likes to avoid. Because it should be easy to avoid.

      • Otto says:

        Question: is there any change to xscreensaver made in the time period in question which could be considered in any way "breaking" or possibly "unstable"?

        That's the deal with stable releases. They're terrified of anything breaking, ever. Obviously, that makes little sense in the case of a screensaver, but it's the question to answer to pound into them "hey, the latest code is always fine here".

        • jwz says:

          Obviously there is some debate over what the word "stable" means. However:

          1) Every xscreensaver release that isn't explicitly marked "beta" is one I consider to be stable.

          2) it has been years since I've made any modifications to the daemon that weren't bug fixes (typically things like better idle detection when faced with new behaviors of window managers, and tracking changes in dependent libraries like PAM). I've been rejecting feature additions in the daemon for years precisely because such changes can be destabilizing for no strong benefit.

          3) The display modes regularly get bug fixes and new features, but they are as fully sandboxed as UNIX and X make possible by the daemon's execution model.

          I do not expect these facts to change anyone's opinion about anything.

          • Aigars Mahinovs says:

            So, if Debian ships a new xscreensaver it faces a risk of things breaking because you have now adapted it to "new behaviors of window managers" and "tracking changes in dependant libraries like PAM" none of which would be there in a stable release.

            As you have not tested your changes with the stable release of Debian, any change, even a bug fix can be a potentially breaking change. And judging by your attitude if faced with such problem your response might be to upgrade a dependant library to a newer version. And that would be another destabilising change that would risk more problems for millions of Debian stable users.

            That is not an acceptable solution.

            Debian already has a working and well tested solution - backput minimal fixes to security and critical bugs and do not change anything else, ever. It has worked for decades and will keep working for decades more.

            Using timebombs to disrupt stable releases is reprehensible and childish behaviour. This puts in question all your work since then. Could the next time bomb lock them out completely? Erase user data? Silently copy user data to a server?

            Now all your future open source contributions will have to be scrutinised just like if you were a CIA employee. At least until you publicly recant this very damaging position and apologize to people involved. And that is not a treat, that is a fact of the necessary damage limitation for millions of our users that put trust in Debian.

            • jwz says:

              Debian already has a working and well tested solution

              This is very much a matter of opinion.

              Now all your future open source contributions will have to be scrutinised just like if you were a CIA employee.

              Oh, go ahead. You know you want to. Go ahead. Just call me Hitler.

              At least until you publicly recant this very damaging position and apologize to people involved. And that is not a treat, that is a fact of the necessary damage limitation for millions of our users that put trust in Debian.

              You know, if I'm so evil and wrong and untrustworthy, here's an idea:

              You could just not redistribute my code at all. You don't want to work with me? Great. I don't want to work with you either.

              See also, the title of this post.

              • Aigars Mahinovs says:

                What Debian is doing for stable releases is exactly what all distributions have always done for stable releases. The unchanging versions is why Linux can be installed in server farms and be relied on to keep working for decades. That is not an opinion. That is a foundation of the whole Linux long term ecosystem. Linux could not have become this successful or useful to people if you had to keep upgrading software to new versions to keep it working. That would not work at all in any environment that demands stability, reliability and reproducible behaviour in the time scale of years. Millions of people use stable versions because they can install them and then only consider upgrades once every 3-5 years and still be secure and stable because of distribution provided security updates without functional changes.

                I am not saying that you are evil. I am saying that your understanding of what the word "stable" means is contrary to the decades of established practises and contrary to what Debian users expect. That in itself is not a problem.

                The problem arises if we add to that your willingness to actively undermine the stability of old versions. Then the trust in you writing the right code erodes. Especially with the obvious lack of remorse.

                Debian is committed to providing best possible value to its users. It is for the maintainer to decide if it is better to keep your software in (as long as it is still free software) and pay closer attention to changes in the future to catch any other such timebombs (which maintainers often do anyway) or to create a transition path to some other screensaver/locking software or to fork xscreensaver along with other distributions that value their users.

                At this point the bug is being fixed by removing the useless warning and possibly by adding instructions on reporting bugs to Debian directly. And that is where it is likely to stop. As it should.

                • margaret says:

                  i lost it at "obvious lack of remorse". apparently aigars is "reading the title of this post and letting it sink in" resistant.

                • Alexander Schwarz says:

                  You sound like a religious zealot (repent or....!) and at the same time like an angry man who does have exactly ZERO leverage to force others to do his bidding. This doesn't convince anyone to do anything you want but rather will lead to people not taking you seriously.

                  The threat I'm referring to (tell me, what happens if he doesn't do what you want? What will you do?):

                  "[...]Now all your future open source contributions will have to be scrutinised just like if you were a CIA employee. At least until you publicly recant this very damaging position and apologize to people involved[...]"

                  • Thorsten Schöning says:

                    > You sound like a religious zealot (repent or....!) and at the
                    > same time like an angry man who does have exactly ZERO
                    > leverage to force others to do his bidding. This doesn't
                    > convince anyone to do anything you want but rather will lead
                    > to people not taking you seriously.

                    You seem to have accidently replied in the wrong thread, that is obviously a message to jwz. :-)

            • phessler says:

              Now all your future open source contributions will have to be scrutinised just like if you were a CIA employee.

              You know, you really _should_ be scrutinising code that you are running for security reasons. xscreensaver, openssh, openssl, etc, etc.

              • Aigars Mahinovs says:

                I do think so as well, but it appears that thus far the combination of respect of jwz work, relatively slow pace of changes in xscreensaver and the fact that majority of users nowadays use different software for locking combined to steer security researchers away from looking at xscreensaver too closely.

                This manufactured scandal might actually do some good in the increased attention that xscreensaver code might now receive as far as security audits go. But I would not rely on that because very few corporate users (that sponsor months of boring work to do such audits) actually use xscreensaver nowadays - they almost always use the distribution default gnome-screensaver. I am missing the xscreensaver hacks, but there are benefits too.

  12. Ewen McNeill says:

    Ironically, Debian does have a mechanism for shipping updates to "fast moving" packages (RELEASENAME-updates) into the stable release, which they use to deal with things that get out of date quickly like virus scanners (and timezones, and firefox aka iceweasel). There are also semi-official backports of newer packages to stable from later releases -- which might help here since AFAICT Debian's non-stable (testing, unstable) releases do have "current" xscreensaver release (5.34, AFAICT). Both require a Debian Maintainer that cares about getting regular updates into somewhere the stable release users can get at, frequently.

    Relatively few packages need updating every year or two, so stable Linux distros holding packages for 2-5 years is not normally that much of a problem. But given xscreensaver's security important role, arguably it should be treated more like a virus scanner and firefox-aka-iceweasel and less like basic Linux tools to be left alone forever.

    Of course in an ideal world users would report-to-distro, rather than bothering the upstream maintainer, if they were running a distro-provided version. Particularly an older distro-provided version. Sadly we don't appear to live in an ideal world.

    Ewen

    • Indeed, Debian dropping xscreensaver from stable, and shipping only via backports and unstable: something like that might work. (Just would have to solve the issue that backports now only gets stuff which is in testing.)
      Alternative: drop it altogether, and steer users to i3lock, xtrlock or suckless-tools' slock.

      • Bigon says:

        So you agree yourself that you are writing software that has security implications but you are not opening CVE, the changelog on your web page doesn't list the security fixes explicitly, you are not proposing isolated commits for review (I'm not even able to find a VCS)...

        Of course you can do whatever you want, but by my book this is definitely not how a responsible upstream maintainer should handle this.

  13. xiegeo says:

    At first I thought this was a case of neglect, but it is actually a classic case of developer wants everyone to update, but some users don't.

    "Of course, my license allows you to ignore me and do whatever the fuck you want"

    I actually believe that just removing the warning is misrepresentation and there for illegal no matter what the license says.

    If any redistributor modifies the software, it is their responsibility to make that fact clear. Then any problems they have from the modified software isn't your problems.

    I understand you don't want to work for their requirements, so let them modify it. Forcing them to remove rather than modify would in effect make it not open source.

    • jwz says:

      You people keep saying "force". I do not think that word means what you think it means.

      • xiegeo says:

        Sorry, what did I say?

        The difference between "force" and "would like" is breaking my mind... I think I got it, you disagree very strongly with Debian, but Debian still have the right to disable the warning.

        • Derek says:

          He could simply craft a modified source license that prohibits removing the disclaimer.

          EITHER, [a] Debian will decide that violates the OSI doctrine, and they can't include it any more, or [b] they'll be prohibited from modifying the source to remove that disclaimer.

          Either way, win for jwz.

          • craig65535 says:

            That restriction could not apply retroactively. So, in that case they would just grab the latest release without that restriction, and patch it as necessary, never fully updating again. That's arguably worse than the status quo from jwz's perspective.

            • Derek says:

              There is no solution that prevents them from doing that. If it's a free license, they can modify his code and redistribute it without any protections he puts in. If it's a non-free license, they can simply stick with an old (free) version which has protections removed.

              The best you can hope for - if you can't convince Debian to play nice - is look to the future.

              • Thorsten Schöning says:

                > if you can't convince Debian to play nice

                Debian is playing nice already and everybody can see that with their suggestion by changing the contacts for reporting bugs. The only one not playing nice is the one implementing a time bomb.

  14. Julian Calaby says:

    JWZ,

    This is (arguably) a use-case for publishing a source code repository (git, SVN, CSV, RCS, whatever) - even if all it does it break out security fixes - as this would make it easier for downstream maintainers to backport the security fixes they need without picking up new features they don't want.

    • jwz says:

      Again, going out of my way to comply with their arbitrary requirements and articles of faith is not how I choose to spend my free time. I don't work for them.

      If that's important to them, they should do it.

      But instead, what they are doing is only causing me grief. So I'd like them to stop causing me grief.

      "Hey, I have some free time, you know what would be fun, relaxing and artistically fulfilling? Operating a public source code repository" I have said to myself never.

      • Julian Calaby says:

        I completely agree that running any open source project publicly, no matter how trivial, is a heck of a lot more effort than doing the same thing privately.

        So back to my original point: I'm assuming that you use some form of version control to help you keep track of stuff as you're working on xscreensaver. So based on that assumption, I'm trying to suggest that you let other people see it, regardless of how "awful" it is, even if that's just handing an otherwise unpublished link out to distro maintainers. (and strongly encouraging them to clearly mark unofficial versions as "unsupported by JWZ" and "report all bugs to $DISTRO" etc.)

        I'm also assuming that uploading one more thing every release is less effort / stress on your part than dealing with dumb users complaining about $DISTRO's ancient "stable" version of xscreensaver.

        • Jeff Warnica says:

          You are perfectly free to take every .tar.gz back from the dawn of time, uncompress them over each other, and do a `git push` up to the internets for every cycle.

          • Julian Calaby says:

            That is close to what Debian is doing for their "unstable" / "sid" version.

            I expect that JWZ has some form of version control for xscreensaver as, in my experience, that makes software development easier. I'm guessing that the "commits" on it are somewhere between commit-per-line-change and commit-per-release. If distro maintainers had access to this, they could pick out the security fixes they need without getting the changes to the hacks etc. they don't want.

            If they can do that, the act of disabling the "you have old software" message is a lot more palatable and if they do that, theoretically, JWZ would get less mail. I would assume that the time required to upload this somewhere is less than the time spent dealing with this issue.

            As I see it, this isn't "security point releases" this is just uploading another "thing" with each release.

            • Jeff Warnica says:

              Why would you add to the burden of hourly, daily commits, and the effort of working on a "security" problem over any other problem? All problems are "hobbies", of exactly equal effort. The when to release question could be as simple as whenever the fuck he feels its enough.

              It is an entirely reasonable paradigm to say "Version $TODAY is the right version, I don't care about any thing else".

              Debian has taken it on themselves to say that something besides that is gold. Not good enough, not acceptable, but gold. They could continue to ship the gold version, or cherry pick changes and ship a bastard version. They want to do nothing, the most selfish possible option. This requires no work on their part, and additional work, if just in actively ignoring emails, on JWZs part.

              Its dishonest to their users and unfair to JWZ.

              • Julian Calaby says:

                Debian would really like to ship a "bastard" version consisting of some version x which has been tested (and patched) to work "reliably" with the rest of the software they distribute + security fixes.

                The problem is that these security fixes are part of "large" or "monolithic" updates that have other unrelated changes which might require changes to other software they distribute and it requires significant developer effort to tease them apart. (It doesn't help that the Debian maintainer for xscreensaver appears to do barely anything.) An example of this type of development process causing problems is the recent "Shellshock" vulnerability where efforts to patch old systems were hampered by the upstream developers practice of releasing monolithic release consisting of both bug fixes and new features.

                As for the practice of taking $RANDOM version and making it "gold", this happens just about everywhere open source software is used. Android phones are generally running a 3.x version of Linux (about 5-10 releases behind upstream) Red Hat is usually a couple of versions behind upstream, most embedded Linux hardware (e.g. routers, tvs, etc.) contain a snapshot of whatever required software packages were available when the SoC manufacturer started development on that particular SoC, hacked to work semi-reliably and with minimal subsequent updates.

                Upstream generally doesn't support these old versions, just like JWZ doesn't, however upstream is also not as hostile as JWZ is to users who are stuck, for whatever reason, with an ancient copy of their software.

                • MattyJ says:

                  Thus JWZ's request to just remove his software from their distribution. If they don't want to do the work to provide an updated release, then it doesn't fall on JWZ's lap to do so for every distro that wants Xscreensaver. Or to code in such a way that is specific to any distro. I feel like that's the purpose of a distro and the developers that support it.

                  Not his problem. Except it is his problem when a distro decides to keep security related apps out of date.

                  When I find errors in my car's GPS I don't complain to Garmin, I complain to Honda because they distributed it to me. It's too bad a lot of Linux 'users' don't know the difference.

                  • Julian Calaby says:

                    Firstly, nobody at Debian (or at least nobody sane) is asking JWZ to provide some "5.30.1" version of xscreensaver which is 5.30 + whatever security updates happened after that. It'd be really nice if that was how he published security fixes, however he's indicated he's not even remotely interested in doing that, so it's not going to happen.

                    It's not fair for Debian or any other distro to expect any upstream author to change how they do their development to suit them. (I must point out that nothing suggested here is Debian specific, any change to his release schedule or process would benefit all distros equally.) It's also not fair for the author to expect that a distro will not ship anything but the latest version of their software.

                    And it's downright wrong that end users are pestering an upstream author about failings in their chosen distro.

                • Mick Sheppard says:

                  An here we see the problem with the current Open Sores community. The sense of entitlement and arbitrary demands placed on authors by downstream distros.

                  The level of bullshit in that bug report is off the scale. Debian have here an author that has other things to do and has provided a recommendation to them. They don't want to do that because they think that the other alternatives to Xscreensaver suck.

                  So get the package maintainer to update the package and do the necessary checks against Jessie to include an update in a patch release. Isn't that what the package maintainer is there for or have I missed something? Are they just doing a build, submitting it to the latest unstable, and basking in the shadow of jwz?

                  • Julian Calaby says:

                    The ultimate goal for a package maintainer is to be able to grab the upstream source, have it compile and run without errors and then ship it. Distros add value by providing a way for end users to get a "complete" working set of software without having to do the grunt work of making everything work together themselves. They generally try not to do any software development other than fixing minor bugs themselves and try to pass all issues that aren't their fault upstream.

                    Most people expect the latest "stable" version of a distro and to be both reliable and secure. The former generally means using well-tested software, i.e. not the bleeding edge version, and the latter means having security updates. This is similar to what Windows and MacOS do: They release OSX 10.5, then a bunch of updates which fix bugs, then the next big release is 10.6 which has a bunch of new features that have been worked on and tested internally until they're considered stable enough.

                    Arguably the best development system for downstream would be for the screen locker component, i.e. the part that's doing the screen locking itself, to be a separate "package" from the hacks and their helpers and for this component to have clear security releases in addition to normal feature releases. This isn't going to happen. As a compromise, I assumed that, like me, JWZ uses some form of version control as part of his development toolbox and consequently this could be made semi-public so that downstream could get the bits and pieces they need without having to get the bits they don't want. It looks like my assumptions here were wrong.

                    As for that bug report, I agree that the bullshit level is off the scale. I've also been annoyed by the message in question and put it down to distro maintainers not keeping up with upstream (a frustratingly common problem) and moved on with my life. I'm not filing release critical bug reports because some maintainer hasn't updated a package yet.

              • Jonathan says:

                > Debian has taken it on themselves to say that something besides that is gold. Not good enough, not acceptable, but gold. They could continue to ship the gold version, or cherry pick changes and ship a bastard version. They want to do nothing, the most selfish possible option.

                Funnily enough this is a completely not what is happening at all. But don't let that stop you fanboing.

      • Zygo Blaxell says:

        Apparently everyone below didn't notice that the Debian maintainers did the work to isolate the security patch from upstream and apply it to the xscreensaver 5.30 package in their stable release. They did it 20-something hours after jwz released 5.34, if I'm matching up timezones on various logs correctly. jwz's apparent unawareness of this implies that Debian reduced the workload on jwz to zero for this particular bug (i.e. they didn't even bother him to say they'd done it).

        Whatever else went wrong, this security update was not part of the set of things Debian failed to do.

      • Terrence B. Hartley says:

        Not to offend, but reading through this thread and your responses it seems like you really dislike maintaining projects (I can't blame you).

        You could mitigate the whole issue and not ask multiple distributions to disservice their users by following the suggestions made in this thread of reforming your bug report system, or just being more patient. But you won't because it's additional effort.

        Have you ever thought about giving maintenance to some one who is willing to put in the effort, someone who likes, err... tolerates, maintenance?

        I don't know how anal you are about keeping everything EXACTLY as you want it, but it would probably make your code base more usable, even to you.

        -T.B.H.

      • Zygo Blaxell says:

        I think you might need to consider doing this just to preserve your own sanity. Like it or not, people will use your software as they see fit, and that can include running really old versions for years because that's the least bad of several bad options.

        Other open source projects with fewer users than yours are set up with a filter between unwashed-hordes-of-the-Internet and the core maintainer(s). When someone Googles xscreensaver, they don't get the xscreensaver mailing list, bug tracker, Github repo, IRC channel, web forums, or any of the other ways that projects redirect their users to other human beings who can help them solve their problems without bothering a core dev.

        Instead, our intrepid Googler lands on a page that is a few prerecorded messages and one click away from your personal email address with no other support options. Not even an alias inbox that could be ignored for a while so you can take a break from the frustration, or delegated to other people who can handle the stupid while you work on the awesome.

        Even the recorded greeting could be more helpful. Something like "running Debian? Do not pass go, do not collect $200, go directly to http://bugs.debian.org/xscreensaver and click on the 'Report it' link" on the Reporting Bugs page. The Debian maintainer can explain to your user how to reconfigure apt to get the current version (i.e. 5.34) and you don't have to know anything else about it.

        • jwz says:

          Look, I know how to operate email. If I just wanted to blackhole or otherwise hit delete without replying on a bunch of messages, I am very capable of doing that. Getting email about a years-old already-fixed bug is frustrating if it's because the user was simply too lazy to upgrade. But what I think you have all recently learned here is that thats not what's going on. It's not that they're lazy, it's that Debian has gone out of their way to make it difficult for naive users to run code that does not contain years-old bugs.

          Even if I just ignored their reports -- or worse, pointed them the delightful and charming people who populate the Debian bug system to have them ignore them for me -- there are still users who are trying to use my works, and who are experiencing bugs that they should not have to experience because they were fixed years ago. That's extremely frustrating. "I already fixed this, thanks again, Debian!"

          And this is by Debian's "design".

          If that's how they want their system to work... well... ok. I don't want any part of it though. So just leave my stuff out.

          • Zygo Blaxell says:

            People walking by any computer screen I control stop to watch XScreenSaver. It's on all of my monitors (I have an unusually large number of those due to the work I do). They say it's the best thing they've seen on an idle computer display, and I'm often asked where to get a copy to save their own screens. I can only do this if I can really trust what's going to show up there, day after day, especially when I'm not there to supervise.

            Just a few hours ago I was in a meeting room in a corporate office where a member of engineering staff had plugged in a laptop to the giant display panel. During a pause in the presentation XScreenSaver (5.15 on Ubuntu) kicked in, and I thought to myself

            Oh cool, another sighting of XScreenSaver in the wild! Hey, what would happen if that thing switches to barcode and picks 'boobies' as the first word, or glsnake with 'erect penis', or starts running webcollage and finds all the pr0ns at once?

            Even if nobody gets fired, the HR processes that can start up are ugly, and nobody wants to spend their own precious life energy defending jwz's decision about where it's appropriate to put an erect penis (especially a hardcoded erect penis that many users can't deconfigure without ruining the whole thing).

            People have different needs from software. Millions of people have a wider range of needs than one person. Not everyone gets to run xscreensaver in their night club surrounded only by people who are not empowered to cause considerable inconvenience to them for the content of their monitors. People modify code to better fit their needs, and the needs really aren't negotiable. Hence, Debian's xscreensaver mods, and more than a few users who would, if forced to choose, pick Debian's version instead of your version, and damn the bugs and oldness.

            I really do appreciate your XScreensaver work. It commands the attention of its audience. It's a conversation-starter among strangers. It showcases your awesome talent, vision, creativity, and sense of humor--but only 99.98% of the time. That other 0.02% can make some random Tuesday afternoon suck.

            • Jeff Warnica says:

              You full well know you can configure xscreesaver to not use hacks that pull down random content. You don't need a distribution to do that for you.

              • Zygo Blaxell says:

                I'm not talking about the configurable, documented random content. I'm talking about undocumented ("read all 165kloc of the source" doesn't count) and hardcoded content removed by two of the Debian patches.

                As a first-time user, you'd just have to know, somehow, that those things could be in there, and the only way to get rid of them is to disable the entire hack they're concealed in.

          • Lars Rohwedder says:

            I am just curious: Which bugs, you have already fixed long ago in your upstream version, the Debian users still reports to you again and again, so you are getting annoyed of them?

            I've read the changelog and between 5.30 and your current 5.34. There are not so many bug fixes at all (and I haven't looked yet which of these fixes are already backported to Debian's "5.30-1+deb8u1" version).

          • ssl-3 says:

            I always figured that -stable meant back-ported bug fixes, but no new "improvements."

            And I thought that extended to bugs that weren't security-related.

            Perhaps I was wrong.

            Perhaps this is why I, at best, spend a day or two at Debian-stable before beginning to bits of Unstable when playing with distros on bare metal.

            Nobody wants your two-year-old software -- not even you. Otherwise, you wouldn't have subsequently improved it.

            Nobody really wants buggy-years-old shit. They want a reasonable system that gets better with age, before they're forced to upgrade to the new oldness.

      • Spinderbok says:

        There is github. Oh, and by the way it's 2016.

  15. Sometimes, as an all-the-way upstream software developer, I wish I knew more about how the packaging community operates. Then I come across something like this and go back to imagining that all my users build from source.

  16. MattyJ says:

    BTW, will there be a 25th birthday cake for Xscreensaver? I'd like to get in on some of that.

  17. isabella v says:

    Hello. Are you the author of XScreenSaver? I've noticed several bugs in the version that came with my VAX/VMS 4.4 distribution....

  18. Krinn DNZ says:

    I'm impressed/dismayed by the one complete tool whose barely-coherent contribution to the thread called you a terrorist ("He accepts the free license but in a some strange one-way fashion: to get the freedom for himself and to take it away from the others. Just like terrorists do.").

  19. nooj says:

    Can we close this bug as WONTFIX already and move on with life?

    "Oh, hey, this dialog box says you should update."
    "No way, we decided it was perfect, and we don't change our minds."
    "Ok, well, unless it's a security fix. Give us just the security fixes."
    "Fuck you, get the whole update. Did you even try the whole update?"
    "But I'm afraid of the whole update! And the Update Man isn't here. Updating is unthinkable."
    "Let's just hide the warning."
    "Fuck you, don't hide my warning. You know what, just don't fucking use it."
    "Ok, let's use it anyway and hide that it's his. We'll claim it as ours! Yeah, and let's don't fix the security holes either! We'll paint over them so it's okay. What could go wrong?"

  20. rozie says:

    I read this message. And I saw many people upset by this message. By using such messages (and language 'do whatever the fuck you want' in source) you don't make the matter better in any way. It is just upsetting people. It's not the matter if you are right or not, people just better react if they are politely asked and situation is explained.

    I understand that you don't want to waste your time on supporting old versions, but it seems there is simple soltuion: just write on FAQ and issue report system, that only latest version (link to source) is supported by you, each report has to contain version number, and any older versions are maintained by distribution developers only.

    OTOH you can point people - in more polite way - to a place where situation is described. It's not exactly true that there's no solution - there are backports in Debian, but not as security backports, but as backports.debian.org, and packages from unstable are backported there. Seems like fair enough solution for me - it's desktop, so it doesn't have to be as stable as server. And desktop users should use packages from other sources anyway.

    To be clear: I use Debian (stable, unstable), I use xscreensaver. And I can help with both creation of such a page/FAQ and preparing backported version. If you wish, of course.

    • Zygo Blaxell says:

      A few back-of-the-envelope calculations tell me that there are about a million xscreensaver-on-stable-Debian users. That doesn't count unstable-Debian or Ubuntu, which combined multiply the number by somewhere between 3 and 5.

      Some of every 5 million people will have the mix of motivation, ignorance and capability required to find someone on Google. Assume a thousand of them send complaints to jwz. It seems a bit extreme to pull the plug on the other 4,999,000 happy (or at least quiet) users because the winduprobots are not always transparent at the appropriate times.

  21. Anonymous says:

    xscreensaver is an ancient piece of hideous awful garbage anyway who cares

    they should just switch to gnome-screensaver if it means giving irrelevant old dinosaurs less opportunity to fill my clickbait aggregators with pointless bullshit like this

  22. Jeremy Wilson says:

    I think my favourite part of that whole thread was how serious those jackholes were taking themselves and how your emails basically highlighted how they're all a bunch of blowhards by being so blunt and direct. The flowery bullshit of that one asshole in particular. Jesus.

  23. Jeff Warnica says:

    You could specify a copyright policy which only allows using your name if the code ships exactly as you package it in a .tar.gz.

    It would bring me great amusement and joy if Debian trips over themselves in their circlejerk to ship to their users icescreensaverweasel.

    • Jonathan says:

      The situation you are alluding to was a Trademark issue, not a Copyright one. Sorry for the interruption, please resume your regularly demonstrated ignorance of the issues at hand.

  24. Thomas Lord says:

    I think Debian should make a hostile fork and write an essay called "Why it is impossible to work with JWZ." :-P

  25. MrEricSir says:

    Ugh. Thanks for reminding me why I refuse to have anything to do with the open source "community" anymore.

  26. Sauron Hubbard, Ph.D. says:

    You should tell them that the name "XScreenSaver" is your valuable property and if they redistribute it, they must do it under the moniker "Shitweasel".

  27. Jay says:

    Seriously, you lot clearly have no idea of end users.

    You put an offensive message in your code and expect no backlash? Grow up and get over yourself.

    • Ben says:

      You are both too easily offended and simultaneously offended by the wrong thing.

      • Jay says:

        Not offended as I no longer support an end user base and I fixed this issue with a very simple command:
        apt-get remove xscreensaver

        Though for a moment put yourself in a sys admin position with a user base running Xwindows and all get this message every time they log in. Do you think that the users will put up with this message at every login?
        Is this the best user experience?

        Distros run stable packages for a reason.

        All this serves to do at that level is piss people off.

        • Ben says:

          You said the message is "offensive", which is to say that you are offended by it.

          It is a bad user experience. Do you know what's a worse user experience? Someone getting into your computer because the distro isn't updating security-critical software on any sort of regular basis.

  28. darkfader says:

    Debian and doing something out of courtesy. Hah.

    Sorry, if I ever get the chance to buy you a beer I'll do that, out of sympathy for having hope.
    There's like no chance on the planet Debian will do something out of being sincerely nice and respectful when they can do it groaning, in wrath and self-righteous.

    I know quite a few really!!! nice!!! people on that project.
    Each of them, individually strives for the best possible outcome.
    The project as a whole acts so inhumane it needs therapy.

    • Jay says:

      This is exactly what I mean.

      Debian does this the Coder does that, the whole he said she said crap.

      Get off of your ivory towers and take a look around you. The users are the consumers at the end of the day. They are not coders or analysts or even technically competent. This is just one cock measuring contest over code and it is bullshit imho.

  29. What's so amazing to me, in light of all this, is that the Dali Clock Y2K Easter Egg ever made it out in time.

    Regarding XScreenSaver itself: as an end user I'm not sure what I should do about the problem. The download page strongly advises seeking out a binary package and I don't know that I could get through building it from the source. I'm not terribly familiar with any of that stuff.

    (Hopefully this time I didn't screw up and post this as a reply to someone else's comment.)

  30. Bill says:

    Congrats, Debian community and maintainers! You just guaranteed that I will never again install Debian and will advise all of my clients to do the same.

    There's like two sane, polite posters in the bug report surrounded by a bunch of ethically-challenged self-righteous FUCKING SHITHEADS who should permanently log off and DIAF/FOAD/etc.

    • Jay says:

      You do realise that this only applies to the light desktop versions of Debian right?

      I am sure that your clients number a count I can make on my one hand.
      No loss there Bill (Gates?)

      • Bill says:

        Yeah, because I'm the only person that is put off by the community behavior and this is the first time they've acted like this. Keep burning small bridges and eventually you're stuck on your island all alone.

        PS: Don't strain yourself with the big numbers there, Jay.

        • Jay says:

          You don't think that the "community" is driven in part by developers?

          I am in no way defending the behavior of a few people on a public forum but to try to detract from the end user experience is exactly the way to isolate your self.

          • Karl Ramm says:

            The more people stop using Debian and tell other people to stop using Debian, the fewer people complain to our host. Keep at it.

        • Jonathan says:

          > Keep burning small bridges and eventually you're stuck on your island all alone.

          That's almost exactly how I'd describe what you are proposing doing, for yourself. I mean, don't let me stop you; but judging the entirety of Debian (or Free Software in general, as others in the peanut gallery here are doing) on the basis of the behaviour of some participants on that Bug thread, is somewhat trigger-happy. Because that thread, being entirely open to post by anyone, reflects the reality of Debian about as well as this one does JWZ. Notice that the bug page starts with "Maintainer for xscreensaver is Tormod Volden". And notice that Tormod Volden has posted to the thread exactly zero times.

  31. Jered says:

    Man. Patching to remove the warning and not actually updating the software is a bit like the boss who tells to just delete the failing unit tests, innit?

    I have nothing useful to add other than if the Debian package maintainer won't keep up with updates, he shouldn't be the package maintainer. If nobody wants to maintain the package, then it shouldn't be in Debian. Also, water is wet.

    I've been running into the reverse problem with cyrus-sasl2 lately, but that's a separate rant. (I'm so glad critical authentication infrastructure used by everyone hasn't had a release since 2012 and is dripping with bugs.)

    • Jay says:

      Yeah, the security updates are backported into the stable release.

      The issue we are discussing is the timer set into the source that only addresses the software main version, that tells the user that the distro they are using is somehow unsafe.

      • Ben says:

        > Yeah, the security updates are backported into the stable release.

        Prove it.

        • strowger says:

          xscreensaver (5.30-1+deb8u1) jessie-security; urgency=medium

          * Add upstream patch for "xscreensaver aborts when unplugging second
          monitor" security issue (closes: #802914)
          http://www.openwall.com/lists/oss-security/2015/10/24/2

          -- Tormod Volden [address removed] Sun, 25 Oct 2015 11:35:52 +0100

          • Ben says:

            He said "updates".

            If they already forked it by creating an out of date version with a small bit of newer code, why are they being such bitches about committing to the fork?

            • Aigars Mahinovs says:

              Every package in every distribution is a fork. All distributions slightly change nearly all software so that it is better fit to other software in the distribution. That is what distributions are supposed to do, that is why it works.

      • Jeff Warnica says:

        Do you honestly believe that if someone was hand picking security updates in the code to backport wouldn't have noticed this, and just quietly removed it?

        • Jonathan says:

          We don't need to just believe it; we can point at the backported security fixes in the stable package and see for ourselves. Helpfully the packaged source is maintained in a VCS and the backported patches are stored individually, so one can clearly separate Debian's changes from the upstream source. Here's the patches for the stable release: https://sources.debian.net/src/xscreensaver/5.30-1%2Bdeb8u1/debian/patches/

          It is a shame that the maintainer missed this mis-feature and didn't remove it by the time that release was frozen, and that does question how thoroughly the maintainer was familiar or vetted the source.

          • Zygo Blaxell says:

            The Debian release cycle is three years long (2 years between releases and another year of security patches after that). That's a feature of Debian, not a bug. Debian is not for people who enjoy regressions.

            Any package in stable that changes behavior during that time creates a bug in stable, i.e. inclusion of that package in the stable release would result in a defect in the stable release. What Debian is doing now is definitely wrong in that sense. The disagreement is over what to do about it.

            Since Debian already exercises considerable editorial control over packages when it alters them for Debian's needs anyway (e.g. altering the words in barcode, separating webcollage and bsod from the other hacks, and stripping out dnalogo), Debian could modify the trigger date to match its own release cycle.

            • Jonathan says:

              I am fully aware of how Debian releases work, I am a Debian Developer. I have not advocated for doing anything to the XScreenSaver package that is against policy. I merely think it's a shame the maintainer didn't catch and remove this mis-feature in the package before jessie was frozen, prior to release. After all, the package we're talking about started life in unstable, as they all do.

              Debian does not have a predictable release cycle (merely an aim) so just changing the trigger date would not help.

            • jwz says:

              Changes I also strongly object to, by the way, and another reason I would be happy for them to simply not redistribute my work at all.

            • I am now feeling oppressed.

  32. Andres says:

    Actually, this entire episode is a fantastic example of why Debian shouldn't update xscreensaver in its stable distribution. The version being discussed was released in 2014. If they'd stuck with an older version, it wouldn't include this message (aka "feature"), and we could've skipped this whole thing. Who knows what'll be in the latest release of xscreensaver? I run Debian stable specifically so that I don't get surprised by changed behavior when I apply security updates.

  33. smlvcfncst says:

    Well, the only thing I could say after reading your complain, jwz, is that I'm sorry. I appreciate very much your job and I thank you for it. I've just started using Linux, and I thus don't know how to compile myself. Thank you for you job. :)

    • Jonathan says:

      Given

      a) the vast, vast majority of xscreensaver users are so via distribution packages, either Debian, Ubuntu (inheriting Debian's packages), Fedora, Red Hat (old releases at least: seems they don't package it anymore), etc.
      b) a substantial proportion of those users are of the "ask dumb questions" variety
      c) those users who do install xscreensaver directly from you are more technically sophisticated and less likely to ask dumb questions

      May I suggest that the simplest and most pragmatic solution would be for your support policy to be

      "I do not support xscreensaver, I just write it. If you have problems, contact your distribution."

      • Zygo Blaxell says:

        But jwz does support xscreensaver. Debian is the thing he is not supporting here.

        • Jonathan says:

          I appreciate that; what I am suggesting is that this support is value-less. The people who use XScreenSaver directly are savvy users who basically do not require support. The people who need support are getting the packages from Debian or elsewhere. And there are far, far more of them. Offering any kind of support is inviting the unwashed to bother him, and not of much value to the direct users anyway.

      • Jeff Warnica says:

        JWZ provides extensive *detailed* technical support for xscreensaver in the FAQ.

        JWZ does not provide "how do I use my computer" level of support.

        Debian does. Or actually, doesn't, as this case proves.

  34. UnlikelyLass says:

  35. Mark Craniac says:

    I believe this is the single longest discussion in the JWZ blog collection.

  36. Gianni says:

    You seem to have a liking for the whole "if it is legal, then it is right" narrative. For that reason, I would like to give you two alternative points of view:

    1 - I will always take into account what your opinions are about your software. You are, after all, it's creator. However, I will always be the ultimate judge of what runs on my computer, and in particular I believe it is my inalienable right to alter any pieace of software that I run. If you actually think that you can tell people what to do with their computer, than you must be one of the guys who think "If it's written in the EULA, then it is legally binding" or "Telsa should not be allowed to sell cars directly to end users" or "Uber drivers should not be allowed to operate in order to not attack the existing taxi drivers lobbies" (the last statement occurs in my country, Italy; I am not familiar enough with USA laws to understand their situation).

    2 - You released your software under GPL. That license is a philosophical statement, before being a copyright notice. The people that developed the license have a very strong opinion of what the rights of the users should be, and thus made such a strong license. So no, Debian people don't think that "it is legal so it is right". They truly and sincerely think that it's their right to modify, rebrand and redistribute your software.

    My final comment is this: if you don't agree with the last statement of point 2, you shouldn't be releasing your software under GPL. You should take your code, shove it in your ass, and get the fuck out of the open source community.

    • Gianni says:

      PS: I would like to add that I still think that, whatever Debian wants to do with your software, they should do it. They can remove the time bomb, package it, distribute it, and don't bother you or anyone else with the story. In fact, I'm really disconcerned about the whole issue. After all, you are right about not wanting to be bothered by bug reports on older versions.

    • jwz says:

      Actually I didn't release my software under GPL, and I haven't done so in decades.

      The reason I'm not arguing with you people about license terms is because I'm not arguing about the law. I'm saying, "Hey, how about not being a dick?"

      • Gianni says:

        I made a point to check what the correct license was but forgot along the way, made a fool of myself.

        I would like to point out that my point 1 was not about the law.

        Anything more would be distasteful, so I stop here.

        • cthulhu says:

          Oh, you made a fool of yourself about much more than jwz's xscreensaver licensing...

        • callmenerdly says:

          "I made a point to check what the correct license was but forgot along the way, made a fool of myself."

          This makes no sense. You're saying that we should blindly ignore half of your strongly worded argument because you forgot what you just read?

          If you're trying to salvage some credibility it's not working.

          • Gianni says:

            Old topic, but let me say that the argument works the same if you go with a generic open source license. Anything that grants anyone rights to modify and redistribute, provided you keep the original licensing somehow. His license satisfy these requirements.

            • callmenerdly says:

              "Old topic, but let me say that the argument works the same if you go with a generic open source license"

              No, the argument you are trying to make is only true for "free and open source" (FOSS) licenses. Most generic open source licenses are not free ("as in speech"), though, meaning you can likely look at the code and use it, but you possibly cannot legally publish it.

              Regardless, no one is contesting the license of xscreensaver. The issue is that Debian is misleading it's users as well as damaging the xscreensaver developer and brand by calling an out-of-date, buggy version of xscreensaver "stable."

              The users are misled because if they were actually aware of the state of Debian's xscreensaver, they'd know better than to waste their time filing reports for bug that will never be fixed for them.

              The developer is damaged because he enjoys making xscreensaver, and getting spam that frustrates him makes development of xscreensaver less rewarding.

              The brand is damaged because Debian users falsely associate xscreensaver with bugs that will never be patched (unstable behavior), when in reality said bugs have long been fixed.

      • luvr says:

        I'm puzzled about how your licence goes together with your demand that some of your code should not be altered. Mind you, I'm not saying that you should remove any such restriction; that's your call, and yours only.

        However, according to the XScreenSaver Manual, your copyright notice says:

        Copyright © 1991-2015 by Jamie Zawinski. Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation.

        It does say, right there, that it is OK to modify the software, doesn't it?

        If you want to place any further restrictions on how you software is handled, shouldn't that be stated right there in the copyright notice? Or, alternatively, shouldn't said notice point to some other document that explains any further licensing conditions? I'm a bit at a loss on how simply adhering to the copyright conditions can be considered wrong in any way (but, granted, I'm in no position to say anything authoritative on these matters; I'm just trying to express the questions that this issue is leaving me with).

        • jwz says:

          I'm puzzled by your reading comprehension. I can't use smaller words.

          • Mark says:

            I'll take a shot with small words:

            JWZ: You can change the code how you want to, but please don't change this one piece. For me.

            Them: We don't care what you want.

            JWZ: You can do what you want, but please don't be a dick.

            Them: Fuck you.

            JWZ: Fuck you, too.

            I think I fail. My small words are the same as the others.

            • Aigars Mahinovs says:

              See, if that was in the copyright file, then xscreensaver would not have been distributed by anyone, because it would no longer be free software. Freedom to modify and redistribute modifications is a fundamental part of the free software. You can not just wave that away, not even for a small part. As soon as you do that, you software is no longer free software. It is really black or white. By design. So that users of that software get as much freedom as legally possible.

              • Mark says:

                Here are the big* words. They might help you.

                *Not that big for real.

                • Aigars Mahinovs says:

                  And that is the problem - not being "a dick" is highly subjective. Jwz thinks that having people run old versions is bad. Debian thinks that changing functionality of software in a stable release is bad (be it by updating it to a new version or by having a time bomb in that software).

                  There was actual software where that was in the licence and that was actually rejected from Debian because that was a restriction on use of the software, which is a bad thing both on philosophical and on practical grounds.

                  • luvr says:

                    "There was actual software where that was in the licence and that was actually rejected from Debian because that was a restriction on use of the software, which is a bad thing both on philosophical and on practical grounds."

                    Which demonstrates how trivial this issue is to resolve: Given that the author wishes to impose such restrictions, saying so in the licence will ensure that the issue won't come up in the first place (or if it does, then it will be blatantly clear that the distributor, and only the distributor, is at fault).

                    Other than that, it is up to the author to decide about the licence. If any restrictions apply that you cannot and will not agree to, then I wouldn't necessarily call that "a bad thing both on philosophical and on practical grounds", but simply a disagreement between you and the author, preventing you from using the software.

                  • jwz says:

                    "The author" is right here, you know.

                    All of you Junior Legal Eagles seem to think that making a change to the license -- even if I wanted to, and I do not -- would result in something other than Debian forking the last version with the previous license and shipping that forever, which is the worst possible outcome for everybody involved, most especially the end users.

                    Truly, my favorite thing about the open sores community is their unshakable faith that all social conflicts have bullet-pointable legal solutions.

                  • Aigars Mahinovs says:

                    The author may choose to do that ... with new versions of his software. Once you release a software with a free software licence into the world, you can not take that freedom back. That is another fundamental right of the users that is guaranteed by free software.

                    Making xscreensaver non-free will likely end like it has always has in the past - there will be a fork from the last free version that all distros will switch to and the non-free version will soon disappear into obscurity.

                    The whole of X.Org is a fork from the time when XFree86 project decided to change their licence. And that licence was not even non-free, it was merely incompatible with GPL. Still that was enough to create a fork that everyone switched over to and for the original project to die.

                  • Aigars Mahinovs says:

                    I would say that technically this incident is basically over. There might be some hurt feelings left on multiple sides. There are no technical or legal solutions to hurt feelings. The best thing at this point would be for the hurt people to meet up somewhere over a few beers, hug it out and come to a mutually satisfactory agreement. It has worked for far worse problems in the past. Believe me - I've been there.

                  • Ben says:

                    >I would say that technically this incident is basically
                    >over. There might be some hurt feelings left on multiple
                    >sides. There are no technical or legal solutions to hurt
                    >feelings.

                    >Believe me - I've been there.

                    There's definitely no one here or in all of open sores software who isn't well aware that you are often present and active in turning easily solved situations into legalistic 'solutions' that piss everyone off.

          • luvr says:

            With so much bad blood on both sides of the fence, the issue won't get resolved.

            Which is fine, since nobody is interested in a solution anyway.

            (No, you're not.)

  37. angryuser says:

    Ugh. I read that bug thread. I'm sorry that you have to deal with this.

    This whole issue is Debian's fault. If the package maintainer actually did his/her/its job, they would've noticed the "timebomb" when it was implemented/release. They have the source, and it's not like it is really well hidden or anything, given that it has a HUGE comment block there, which would've jumped out on diff.

    IF they had done their job, we could have had this conversation much earlier (from what I read, 18 months earlier), long before this exploded in the users faces, and we probably could have come to a sane resolution that satisfies all parties.

    Instead, from what I understand, the maintainer did nothing, and now suddenly - and predictably - this is a huge issue.

    The whole issue is idiotic. I hope that this doesn't discourage you from continuing to support your most excellent software.

  38. Ewen McNeill says:

    Heads up: now also discussed in a post by mjg59, itself further discussed at LWN.

    Ewen

  39. Isambard Mews says:

    Could I please request that that the nag screen is kept in Debian Stable. This is clearly not a security bug and my set-up expects and depends on the nag screen being there. Thank you.

  40. Niccolo Rigacci says:

    Hi, I'm an end user and I don't want this "misfeature" in this software.

    I'm also a sysadmin and a system integrator, I suggested to use Debian to tens of users, I installed Debian on hundreds of desktops and servers. Now - starting from a few days ago - I know there are lot of users which are scared and disappointed by that rant: they just want to use their boxes for 3/4 years without hassles. This is a time-bomb, no more, no less.

    If you dont'want someone to remove the time bomb, please change license and go in peace. In the meantime I recompiled it with the "return 0" and distributed the package to all my users. I will advocate Debian mantainer to do the same.

    Free software means freedom to remove unwanted features, choose a different license if you do not agree.

    • Jeff Warnica says:

      If you trust JWZ to produce for you a screensaver program, you should trust him that when he tells you that it obsolete that it is.

      If you trust Debian to package software up for you, you should trust them that one of the pieces of software they selected is obsolete when it tells you that it is obsolete.

      • Niccolo Rigacci says:

        Surely it is a Debian mantainer fault to have un-noticed this time-bomb in the first time.
        This software is full of features, a free license means that the user is free to choose which ones to keep, which ones to remove. The "please don't disable this feature" is a pure non-sense rant. If JWZ is scared by to many complain mails, he can suggest the packager to remove his e-mail address from the binary, and/or slightly change the name so that the bug reports will be filed to the distro mantainer, not to the upstream author.

        • Jeff Warnica says:

          "The user" is retarded; if they weren't, they would have followed the pointed advice and upgraded.

          The maintainer is working hard to cause both the user and jwz grief in shipping dead code.

          • Raphael Costa says:

            Calling the "R" word now...

            You should try to learn what a "stable" distribution is. But I guess you're too retarded for that. Sucker.

  41. Steve Allen says:

    I which arena I see way too many parallels between open source community and rape culture. Consent has limits and no means no.
    Very sad.

    • Jeff Warnica says:

      There are two groups saying no here, so you are going to have to be more clear.

      Unless your point is the meta implications of drunken consent... in which case, you need to specific who get to play the trump card.

  42. Anonymous says:

    You should join the 21st century and start using something like git.

  43. Bob Ham says:

    Why are you releasing your software and maintaining a website if you don't want people to bother you about old versions? It seems to me that this comes with the territory. Debian have had long release cycles for decades. Why are you complaining now?

    It seems to me that there has been a change. In the past you were prepared to deal with the consequences of being the maintainer of XScreenSaver but now you are not. Perhaps rather than requesting that Debian stop distributing your software, you should pass maintainership to someone who is prepared to deal with the consequences?

  44. alberto says:

    Dear Jwz,

    You are on the software production biz and not in the software distribution biz.

    Problems are different but equally challenging. Making everything working together is quite a goal.

    You chose not to work on this and so you decided this is wasting your time.

    Your claims and choices are quite understandable, really. Creative work is more fulfilling personally. Also, you dont want upon you something you didnt choose.

    But somebody have to do the dirty work and im happy theres people out there that is willing to do it

    So, can I ask you to:

    - Have almost infinite patience with debian. When everybody is given a voice, the cesspool is ensued, but I am proud of what we are trying to achieve here

    - Try to see the benefit that things like debian exists. Its easy to dismiss other people's problems but in the case of debian we are trying to tackle really big integration problems. Everything is perfectly round into the void, but reality is not. Im frankly surprised that somehow things keep rolling at all

    - Be as friendly as possible, despite the jerks, not in absence of. Theres enough fire usually as it is, without adding the personal one. And I only mean code-wise. You can call me names, I dont give a fuck

    Thanks for your software!

    • Asm says:

      I believe the issue is that the Debian maintainers have the general idea that it's fine to piss in the author's cornflakes if it makes their job easier.

      It's pretty damn clear to me that if the software author does not want people to include his software due to them fucking it up (by not keeping it up to date), they should perhaps consider... I dunno. Not including it? But that'd make sense, which is a rarity in the Linux world.

      "Oh, but it's open source so that means we can do whatever!" Sure. You can. Should you, though? There is a difference between legally valid and morally valid.

      And the gall of the people that want to remove the warning but otherwise keep on truckin': Grow up. "Ooh, oooh, but it'd be much work to replace it entirely! And the alternatives are bad!" - so instead you pick a solution that's wrong on both levels, ignoring the author and keeping bugs & security holes around. Great work.

    • Ben says:

      He's not in the "software production biz" or "software distribution biz". He's in the alcohol and pizza biz. 'Biz' means making money.

      He is in the software production and distribution hobby, and is doing reasonably well at both as evidenced by his software being on a fuckton of computers.

      Though Debian does do a good job of deliberately making his biz slightly harder without giving back, by stripping out the one small piece of his software hobby that advertises for his 'biz'.

  45. Cat Mara says:

    Thanks for the heads-up; by coincidence, I was doing some experiments with the desktop environment on my Debian/ Devuan machine recently and when this message started appearing, I thought I'd borked something...

  46. Gram says:

    You are an asshole!

  47. Jake says:

    Just a suggestion, but why not just add the relevant .deb, .rpm etc packages to your download page? Yes, it's extra effort, but it's got to be less effort than explaining the solution to everyone over and over again.

    • jwz says:

      My download page does link to this page, which is the latest release. I would hope that if someone running the so-called "stable" Debian release clicked on one of those links at the bottom, they would find themselves running the latest release of xscreensaver. But I assume that is not the case. I don't actually know, because (it may not surprise you to learn) I do not run Debian.

      • Jake says:

        Miraculously enough, it is.

        You know, I wonder if we're not all barking up the wrong tree here. I'm not using straight Debian; I'm using Lubuntu, which doesn't actually use xscreensaver by default. And Canonical are pretty infamous for leaving outdated versions in the repository unless the original uploader stays on top of it or it stops working; this wouldn't be the first time I've had to pull a .deb package of a more up to date version of something off Debian's website.

  48. Raphael Costa says:

    It's your fault for announcing your own personal email in a pop-up message. Submit a patch to Debian removing the popup or changing the email to Debian's Bug Tracker.

    Or...

    Leave Free Software development. Go proprietary, do it. We don't need dicks like you causing trouble. For such a "highly respected" person you should be smart enough to know some distributions are "stable", heck do you use Git master versions for everything? If you're so bothered by users using older versions of your software then at least get a faster release cycle.

    But leaving Free Software would be best. We can do without XScreenSaver or that XEmacs crap.

  49. trabby says:

    Yeah, I should totally keep my 1000+ server online payments platform bleeding edge because a screensaver dev is annoyed about duplicate bug reports. /s

    • Kevin Lyda says:

      You're running screensavers on your 1000+ servers? That seems very stupid.

      • Jonathan says:

        Rofl I saw the exact same comment on reddit for this story, and I made the exact same reply.

      • Aigars Mahinovs says:

        If the servers have displays with X running and some local monitoring displayed there (as it was common a decade ago) so that a tech could walk up, replug the KVM and check the server without relying on the network working, then locking that session down with xscreensaver is an obvious choice.

        But this is about more than a screensaver, it is about an upstream developer inserting a timebomb into the code because of an irrational fear of old versions. Imagine more developers following that.

        • Kevin Lyda says:

          1,000 servers running ***X*** to do maintenance work on them? That's insane. The energy waste in that should honestly be criminal.

          As for your second point I assume the result would be Debian finally realising that "stable" is an attribute of a software package and a system, not the attribute of a date.

          • Aigars Mahnivs says:

            You don't even need to run xscreensaver actively to get the nagmessage. It is sufficient for it to be in the session. There are schools that have display servers with hundreds of X users per server. Those do not get upgraded more often then once every couple years. There is no real energy impact from just having X run in the background not doing anything actively.

            "Stable" in Debian is an attribute of a particular version of a package that has been patched for all critical and security bugs and will never change functionally until the user decides to upgrade to the next Debian version. That is stable. That is software that will never break on you. That is the whole reason millions of people use stable distribution versions in all important use cases.

            A new version of the software that the developer just released can not be defined as stable until it is proven to work and not have critical bugs by a large number of users for some time period.

  50. Mark says:

    Wow. I expect something like this to happen when jwz writes a post with "Apple" in the title, but I'm frankly amazed to discover there are still this many people who give this much of a crap about Linux. Not at all sorry that at least I personally managed to move on.

  51. johnboy says:

    #!/bin/sh

    # works on debian wheezy

    # version of 2015-October
    VER=5.34
    APP=xscreensaver-${VER}
    TGZ=${APP}.tar.gz
    URL=https://www.jwz.org/xscreensaver/${TGZ}

    cd /usr/src
    sudo apt-get -y build-dep xscreensaver
    wget -O/tmp/${TGZ} ${URL}
    sudo tar -xzf /tmp/${TGZ}
    sudo chown -R ${USER}:src ${APP}
    cd ${APP}
    ./configure --prefix=/usr --with-gl --with-pam --with-gtk --without-kerberos --with-hackdir=/usr/lib/xscreensaver --with-configdir=/usr/share/xscreensaver/config --mandir=/usr/share/man --with-login-manager --with-x-app-defaults=/etc/X11/app-defaults --with-proc-interrupts
    make
    sudo make install

  52. Anonymous says:

    Fuck you.

  53. Gram says:

    there is a workaround for popup at boot. Open .xscreensaver in home. Change "lock: false" to lock: true". No more popup.

  54. Carlos says:

    This is a bit rambling; pray forgive me. I've been reading the comments on jwz's post, and the Debian bug, since it was first posted.

    My credentials aren't important, but I maintained a Linux distro many years back, and have been a free software author since the 90s. A couple of my packages are carried by most of the major Linux distros and BSDs. So I see both sides of the fence, as it were.

    And jwz is 100% in the right here. This isn't a matter of point of view or perspective, or shades-of-grey; jwz is morally and technically right in every detail.

    The Debian commenters who think it's okay to remove the obsolescence warning jwz added do not understand that (a) every bug/change in a package like xscreensaver is a security issue, and (b) not every change in a codebase necessarily makes it into a changelog. And many bugs are not known immediately to be security problems, but turn out to be so later, so relying on a maintainer to "just mark the security-related ones in the changelog so we know what to port" is total horseshit.

    Debian has a policy of not updating software in a "stable" distro, instead backporting security fixes from later versions. That policy is understandable in that it was arrived at because far too many software packages break things randomly in seemingly-minor version bumps. Some packages/libraries completely break their API or ABI with what seems like every release.

    However, xscreensaver (and my software) are not like that. jwz goes to great lengths to not break things when he updates. That fact, plus the fact that xscreensaver is security-critical, should mean that Debian does not apply their policy to this package. They should track jwz's version exactly. The result will be just as stable as now.

    It's this religious, mindless application of "the policy" which is so infuriating. It shows that the bureaucrats really do have control over the Debian project, to the active harm of both Debian users and upstream authors - as well as Debian's reputation. The users on the bug ticket mostly sound like five year olds who've just been told that Santa took a shit in their Cheerios.

    My own packages have suffered somewhat of the same treatment. I thought I had good relations with the Debian packagers, but I find they've not kept up with the upstream versions, while also implementing changes/fixes totally different from bugfixes I've applied to my versions. In at least one case, the Debian maintainer managed to actually not fix the bug he was trying to fix, while also introducing a brand new security hole. None of these bugs, nor this security hole, would have affected Debian users had they simply tracked my upstream - which has been very careful to not introduce any backwards-incompatible changes in over a decade.

    To put the cherry on top, the freetards think, as jwz says, that removing the warning and harming their users is just fine as long as the license technically allows it, even against the express wishes of the author. Fuck 'em all.

    jwz: thanks for xscreensaver. Debian: please, please change your culture. The inmates are in charge of the asylum.

    C.

    • Fabian Mueller says:

      Carlos, you claim to see "both sides of the fence" but still completely ignore Debian's viewpoint here. Furthermore, you would need to _introduce_ bureaucracy to differentiate between packages and how close the upstream version should be tracked, basing these decisions on (very) soft criteria. The current (strict) procedure therefore merely _avoids_ this kind of bureaucracy and leads to very deterministic results, which in my eyes outweighs the disadvantages by far.

      I also do not see the reason for such a heated discussion (so many f***-words...). I have the strong impression that jwz deliberately provoked this trouble for whatever reasons.

      • Carlos says:

        No, I do not ignore Debian's position. I understand it. However, the bureaucracy has taken over - the imposition of "the policy" in an unthinking, un-analytical manner is proof of that. The original goal of the policy is ignored, and the policy is applied just because it is the policy.

        The policy, as applied to xscreensaver or my software, does not accomplish the project's goals. It actually retards Debian in this respect. That is the proof; the policy is actively harming the project and preventing the project's goals from being accomplished, but it must be adhered to because it is The Policy.

        And regarding your sensitivity to "curse words" -- shit, piss, fuck, cunt, cocksucker, motherfucker, tits -- as Frank Zappa said, the notion that there exist words so powerful that merely hearing them will corrupt the listener is preposterous. Grow the fuck up.

        C.

        • Fabian Mueller says:

          It is no problem for me to read such words, my problem is to take their writers seriously. Which sometimes makes it to their problem, too, if they need something from me.

          Indeed, sometimes I am quite grateful that some people make it obvious this way that their "arguments" are not worth reading and that it might well be a good idea to do the opposite of what they claim.

          In that sense: Thank you!

          This is supported by your complete lack of understanding of what I tried to explain to you: You can call debian's behaviour dogmatic or unflexible, if you want, but this is _not_ bureaucracy. Bureaucracy would be if you would fill 10 documents and make 20 conferences to decide, in which pace a packages update should proceed. In regular intervals, of course, since the circumstances could change, too.

          I use debian on some systems when I think their way fits its needs best. I hope, they do not change it. There are many distributions, which handle it the way _you_ prefer. I think it is an advantage to have the choice. Why would you try to make them all the same? Different distributions, different applications, different policies. Believing in the one perfect way that fits all needs is naive and childish.

          Have a nice day ;)

  55. margaret says:

    this post started out very difficult to fap to. i thought i'd have to scroll back to cthulhu fleshlight, previously.

  56. padlock says:

    The real question here is:

    Why is it impossible to keep a Linux distribution up-to-date and stable at the same time.

    The answer makes this whole issue obsolete.

    • margaret says:

      Lets say you are a distro publisher, your sister is a developer, and your mom is too. You collect a nice set of packages and release it into the world. Your mom releases mom_widget 2.0 which gets 314% better performance by using cosine waves instead of sine waves. Your customers go crazy and demand you upgrade mom_widget to the latest version. Your competitors are all on board. You start doing testing and discover sis_app crashes with mom_widget's new wave library. Your sister is in rehab and won't be out for a while, if ever, and has no intention of "fixing" her code just because mom changed her code. Mom couldn't care less about sis_app because she has another shitty app that she says has all the same features for only $4.99 a month.

      So, Mr. Distro, do you remove sis_app and lose those users? Or do you not upgrade mom_widget and lose those customers? You will either have an up-to-date or a stable release, but not both.

      Now, multiply this out to tens of thousands of applications, libraries, hardware, firmware, drivers, languages, blah blah blah, with however many dev teams, companies, private individuals, and other hanger-on-ers that comprise a distro. Every piece has to work with every other piece. One man's bug is another man's feature.

  57. Sanders says:

    jwz Thanks for xscreensaver, much appreciated here.

    I use it on my media centre via Ubuntu, my little kids love it, the ants, the jumping cow, the gravity, the broken screen, the old computers, etc.

    They always ask me to tell them the history behind them, what do they represent, they love the whole thing.

    I thought it would be nice to let you know.

  58. callmenerdly says:

    It's hard to properly fork code. Open source gives people the means to do so, and a license provides legal authority, but neither of these actually provides meaningful justification.

    This incident highlights how neither open source, nor copy-left (and it's twin copy-right) will truly reconcile ownership and stewardship disputes. What reconciles these disputes is actions of people who make impactful contributions to the software.

    That Debian maintainers seek to freeze xscreensaver into their framework, while jwz has actually been improving it in these last two years, indicates jwz is the credible steward of xscreensaver. Debian is supporting legacy software. Debian folk should acknowledge this, take criticism in stride (i.e., cut the drama), and go about their business.

  59. Some Name says:

    And OpenSuSE and Slackware just patched away the deprecation warning when it was triggered there.

    Patch for Slackware:
    https://slackbuilds.org/mirror/slackware/slackware-current/source/xap/xscreensaver/xscreensaver.no.expiration.date.diff.gz

    For OpenSuSE I took a brief look at the source rpm and it also contains a patch to remove the warning.

  60. jer says:

    I was wondering what this reminded me of.

    https://bugs.gentoo.org/show_bug.cgi?id=534212

  61. Rpd says:

    I understand everything.

    But I still don't want to see the warning every time I log in.

    Please tell me how to disable it.

      • Rpd says:

        This is not an answer. I want to use whatever version my distro ships and I don't want to install anything from any other source than official repositories of my distro. You inserted a pop-up window in the code and I couldn't care lessabout the version of your software, but I want to disable that pop-up window. Every time I turn on the computer, I have to see your bloody warning that cannot be disabled. You could have made it at least so, to include some settings, "I don't want to see this message again" checkbox. It's software developer's elementary ethics to make such popup windows this way. Otherwise I'll trashcan your software and I won't have screensaver at all. I'm not going to install GNOME libraries for the sake of a stupid screensaver. It's better then not to have any screensaver.

        • Yithar says:

          It's hard coded, so you'd need to compile whether removing the popup like Debian did, or upgrading. And well, suit yourself then.

        • jwz says:

          Ok then, uninstall it.

          I strongly believe that what your distro does is wrong, and harmful to their and my users.

          If you like how your distro behaves, but do not like how xscreensaver behaves, it would make perfect sense for you to not run xscreensaver.

          • Mario says:

            jwz,

            which distro do you recommend?

            (And many thanks for xscreensaver!)

            • jwz says:

              which distro do you recommend?

              MacOS 10.11.

              (And many thanks for xscreensaver!)

              Glad you like it!

              • Mihai says:

                MacOS 10.11.

                Speaking of which, Apple seemingly ships unpatched git and updating is almost impossible:
                http://rachelbythebay.com/w/2016/04/17/unprotected/

                mini$ git --version
                git version 2.6.4 (Apple Git-63)

                Is anything wrong with that? Well, yeah, actually. Say hello to CVE-2016-2324 and CVE-2016-2315, present in everything before 2.7.1 according to the report. You should check this out.
                Remote. Code. Execution.
                But what if you couldn't upgrade it? Remember when I said El Capitan? Apple is doing something new which basically keeps you from twiddling certain system-level programs without going to fantastic lengths. Not even root is enough to do it. In short, you can't just replace /usr/bin/git.

                (of course, many thanks for xscreensaver)

    • MetaRZA says:

      Compile and install xscreensaver from source. That's the easy way. The hard way is to convince Debian to upgrade to the latest version. Slightly less hard would be to switch to a distro that already has the latest version.

  62. dilworks says:

    One thing is clear: JWZ can't deal with end users. At all.

    And unfortunately your average end user doesn't even know what the hell is a "bug tracker" - if Shit Breaks™, your average end user will google $APP_NAME, and obviously the first hit will be UPSTREAM, not their distro page. No amount of manual/wiki pages or software patches will fix that (just like nobody can fix global mankind stupidity), so as a upstream developer you should just Deal With It and don't be a dick. Telling your end user "just go and compile the newest version from source" is a excellent way to drive them away from your software, and eventually leading to a smaller userbase.

    Be more polite and less of a dick - that should be the golden rule for any Open Source Software project regarding relationships with end users.

    (BTW: If you want more up-to-date software on Debian, Testing is only a couple of lines away - good luck pulling that stunt on production servers or biz workstations, where when Shit Breaks™, expect doom and mayhem and a pink slip that day - and yes, I've had my ass bitten by being too up-to-date with a lot of things, from device drivers to text editors)

    • Mark says:

      Speaking of reading comprehension, I have yet to see jwz tell any end user to compile from source. The xscreensaver download page says "I distribute only source code for X11 systems. However, if at all possible, I strongly recommend that you install a binary package rather than compiling it yourself." And yes, he does provide links to such packages.

  63. anonymous says:

    Change the license if you don't want people modifying your code.

  64. Spinderbok says:

    I am a Debian developer and I give zero fucks for xscreensaver. Have a nice day.

  65. Cat Mara says:

    I think that Debian should consider honoring jwz's request to remove xscreensaver from the core distribution. The "long term stability" guarantee that the Debian project wishes to provide its users is in conflict with the way jwz wants to develop his software. There can still be xscreensaver .deb packages for those who want to run it on Debian or a Debian-derived distribution hosted on Launchpad or somewhere similar so the releases of the package can track jwz's source releases more closely. There's plenty of packages out there like that, that aren't included in the mainline distribution.

    • Aigars Mahinovs says:

      Debian is not about honoring the requests of upstream developers. Debian is about serving users. If the two conflict, then serving users will always win. At this point shipping an old and very stable version of xscreensaver with all the security issues fixed by minimal bug fixes is the best way to serve Debian users. And that is exactly what Debian has always done.

  66. halibetlector says:

    Every once in a while I wonder "Why don't more companies make software for Linux?" Then threads like these pop up and remind me why.

  67. Mark says:

    I use xscreensaver on my mac os x computers. Works great and I love playing with the different savers. Coworkers are amused by them also. It's also neat to have xscreensaver on an ipad, if fairly useless.

    Please don't get discouraged by the linux users out there. Not all xscreensaver users are like them.

    • Mark says:

      *not counting sane versions of linux such as slackware, etc, whose users are by far in the minority now :(

  68. Tvrtk says:

    Problem solved:
    sudo apt-get install faketime

  69. Leonid Isaev says:

    Interestingly, noone considered just ignoring the Debian policy and simply pushing the latest XScreenSaver to all Debian flavors. Politics, yay! Oh, well, this is why I run ArchLinux since a long time.

    Thank you a lot, JWZ, for your great work and also kudos on the website design.

    • Aigars Mahinovs says:

      Yes, no one considered potentially breaking an important piece of software on millions of computers of people that have explicitly chosen to use old and unchanging software versions just because one upstream developer wished so.

    • Linus Borgreen says:

      Arch Linux removed the time bomb in the package. There is a dedicated fucking patch that does nothing but remove the time bomb from the Virgin code before compiling it.
      They are literally Devils.

  70. Jaguar_anon says:

    Thank goodness. Glad to get rid of Xscreensaver. Hope it is removed from Debian entirely. The attitude of the author sucks.

  71. wolfsnase says:

    geez, I screwed up the formatting in the above post - can be deleted

    To most people, "running the latest release" is synonymous with "running the latest release that my distro packages for me."

    Exactly. Because most people are not able and/or willing to compile this, compile that, comile yet another one. Or are able/willing to add this repo, that repo, add yet another repo to their distros package manager. Or do distro-hopping. So the distro packaged version is the latest release they have access to.

    When they even bother to tell me what version they're running, I say, "That version is three years old!", and they say "But this is the latest version my distro ships".

    Well, I guess back in the days when the first versions of xscreensaver were written, it was almost impossible to imagine a madness like *buntu (which is african for "I don't know nothing about that linux thing but it looks cool on my computer" and unfortunately someone messed up the translation) jump into existence. We all have to live with things like that.

    Then I say, "your distro sucks", [...]

    I've come across quite a few distros and they all suck. The question is not 'does that distro suck' but 'how much does that distro suck'. It's not (only) the technical aspects, but also (but not limited to) the number of 'me too, anybody got that fixed?' posts in forum threads 'discussing' technical roblems on one end and the number of zealot experts with their my-distro-is-holier-than-yours attitude on the other end of the 'os social spectrum'. I totally aggree with you that it would be great if we live in an ideal world -- which says we don't, so even as someone who's technically literate I end up with a distro that might not be the best one in some technical aspects (i.e. security). I can live with that. And I'm glad if people let me live with that.

    [...] and they say "but I don't know how to compile from source, herp derp I eat paste", and everybody goes away unhappy

    I know how to compile from source. I do that already for a number of software packages. But that's not the thing I want to do over and over again. And the holy trinity of ./configure, make and make install does not always work as expected. If I'd like to have something I can constantly fiddle around with I'd get me a model train. I expect the distro I run to take care of that for the majority of software I use and provide packages that can be installed easily - at least for security fixes. Besides that, I don't care much about updates/features. To my best knowledge the debian 'stable' line does a good job in exactly providing that (which is why I picked that poison).

    It wastes an enormous amount of my time, and kind of makes me regret ever having released this software in the first place.

    Putting stuff on the internet can be like throwing a bumerang. If 'the other side' doesn't grab it (here in terms of understanding it, agreeing to it) or get hit by it (here in terms of being struck by awe), it might come back and hit you. Good intentions do not necessarily decrease the risk. You should have known that in the first place.

    So seriously. I ask that if you're planning on disabling this obsolescence warning, [...]

    So you knew beforehand some folks would say, 'screw that "feature"'. That's like 'don't eat from that apple (of feature deactivation) or you will be banished from paradise (of security)' - totally useless.

    [...] that you instead just remove xscreensaver from your distro entirely. Everybody will be happier that way.

    I don't think so. I get it that you would be happier. Quite a few people would be pissed. Including me. So I hope that wish for removal will be ignored, and chances are high that it will be ignored.

    Check out gnome-screensaver instead, I understand it's really nice.

    I wonder why you had to mention that giant turd of crap software. Recommending something to users that brings a dependency hell with it and bears more bugs and security holes than a stray dog bears fleas is not 'nice'. Recommending it to package maintainers isn't either.

    Of course, my license allows you to ignore me and do whatever the fuck you want, but as the author, I hope you will have the common courtesy of complying with my request.

    I'm not sure what you mean by 'common courtesy', but I guess it's not the kind of courtesy you showed in Debian bugreport 819703 / message 158 towards an unsuspecting user. Besides that, the above statement from you is a classic double bind. A good strategy for dealing with double binds is to not take them serious and/or let oneself not be limited by the options given.

    As a dev, I can roughly estimate how much work a piece of software like xscreensaver is. I'm not walking in your shoes but I think I can at least partially understand your frustration. But the way you are trying to tackle the problem is weird. At times, your behaviour is kinda abnoxious.

    Last not least: a big thanks for xscreensaver. I've been using it since around 1996. Besides the nagging screen that started popping up a few days a ago, it's one of the pieces of software I really appreciate and I see no viable alternative for it. I'm happy to go with faketime 'last Friday 5 PM' and check back the debian stable repo in a few weeks. If the situation persists,
    I might think about compiling from source.

    Feature request: what about a config option that users can set to disable the warning screen after they have seen it? You could name it something like 'willing-to-shoot-myself-in-the-foot' to bring your point across once more and at the same time enable users to make decisions for themselves and we're all done with it. People circumvent that nagging screen anyway. I'm willing to put an order up to 25$ for your favourite beverage delivered to your home and pay for it through paypal. Or order something from your amazon wishlist for you (if you have an amazon wishlist). With this post you'll recieve my email address. I don't have tons of money on me, but I guess that's an easy one for you.

    To anyone reading this: Found some errors in my english? Congrats - you can keep them. :)

  72. Sam says:

    I entirely understand you jwz. I am getting a bit mad that stable Debian distribution still uses old packages, but I also don't understand how people can be so stupid to be not able to install the latest version of xscreensaver. Many many don't know but the newest version of xscreensaver is compiled and ready to download from debian repositories. Just go there: https://packages.debian.org/sid/xscreensaver scroll down and download .deb package for your OS architecture, no worries this will not mess your OS up, but you will have the latest screensaver on your Debian.

  73. mjy says:

    I don't think the Debian pundits realize how annoying and detrimental extremely old code (and missing recently introduced, but popular and useful software) in stable releases is to the average user.

    Perhaps developers ought to add some code that "accidentally" introduces a security problem 2 years after release, because that's the only way Debian maintainers' fat asses will get moving.

    As far as their patching ideas are concerned (removing warnings), I thought they had learned not to touch software unless it's absolutely necessary after the epic Debian OpenSSH fiasco.

  74. Gorja says:

    that's why i left debian-lala-land and entered the serious-plains of arch... hell yeah it's not a walled garden, but u have plenty of space to do whatever you want...

    arch ships with 5.34-1 with optional load-and-compile-on-your-own from aur...

    btw: doesn't look nice debian, to REMOVE an Error-Code instead of upgrading or fixing the package...

  75. AssetBurned says:

    Isn't the really interesting part that no-one from the Debian project checked the source of your project and figured out the issue before they put a version with your legit "TimeBomb" into their product?

    I mean you just put an little pop up in. Who knows in one of the other packages there might be an automatic "I delete myself" in it, and if they are poorly written such a function might run rampage of the system.

    Beside all this, the wording on the bug report side is a joke. You just pointed out the fact that the package is outdated. But they treat you as if you called the endusers names. Really?
    I like the spirit of open source software, but such examples lead me to to conclusions. Either do not develop open source, or publish it under your own license that allows you to make sure that the own project needs to be removed from other bigger projects if they don't follow what the author want. :-(
    both not the most pleasant ideas.

    • Keith says:

      That is because he -DID- call the end users names, and has had a generally unhelpful attitude. Read through the debian bug report again. As well as this comment board (Search for "I eat paste").

      Additionally: A "little popup" can be VERY disruptive, especially when you have startup scripts, and/or PUBLIC TERMINALS that do NOT benefit from sudden popups. It also does use up (I don't care how little) system resources. The real sadness here, is that JWZ didn't put in a way to DISABLE these popups, clearly believing that his opinion supersedes everyone else! Which, has added god only knows how many hours into my work schedule, to find an alternative solution that doesn't break the build I have! (I will NOT be using gnome-screensaver, as I am not going to get into dependency-hell, and risk ACTUAL security risks!) -THIS- is what is wrong with the open source community. These kinds of 'holier than thou' attitudes, not realizing that perhaps MILLIONS OF PEOPLE ARE CURRENTLY AFFECTED BY YOUR ACTIONS.

      • Mike says:

        The real sadness here, is that JWZ didn't put in a way to DISABLE these popups

        Yes he did put in a way to disable them. It's in the latest release of xscreensaver. Just ./configure; make; make install it and you'll see that the message disappears.

        • Keith says:

          -AFTER- the fact he put it in. I repeat, AFTER THE FACT. And again, it's easy to say "Just use the ./configure; make; make install trinity and you're good" when you aren't deploying hundreds of PCs using a STABLE RELEASE :P scope Mike, scope. Some of us are very busy Sysadmins.

          • Mike says:

            No need to SCREAM at me!
            Also, if you have to manage hundreds of Computers I hope you have some better system for managing them instead of logging into each machine and running ./configure; make; make install manually. Hint: There are package management systems and orchestration tools to help you.
            If your favorite distribution ships shitty old packages it may be time to switch to a better distribution or kick your distros package maintainer in the arse instead of whining on the original developers blog. He is not the one who delivers the outdated software to you.

            • Keith says:

              A 2 year old package with -no- security issues. I would NOT consider a 'shitty old package'. Nor does the IT world-at-large to be honest. And for any manner of sensitive environment, you want proven, tested, -stable- packages. Not bleeding-edge (Example of bleeding edge gone wrong: what many windows users have experienced the past 6 months, due to having windows 10 shoved down their throats.). Testing something to put the label 'stable' on it, takes -time- and if something newer comes out? That quite literally does not matter. My goal isn't for bleeding edge, it's for -proven- and -tested- stability.

              "better distribution" And who is the ultimate authority on this? I've been around the block enough to know this argument is a red herring when it comes to linux. I don't subscribe to the frankly, stupid notion of "My distribution is better than yours." mentality that seems to still plague the open source community, and I shall continue to do so. If a debian-based system suddenly does not suit my needs, I'll investigate elsewhere (I'll even go so far as to say the blame doesn't -solely- rest on JWZ's shoulders for this mess, but certainly some of it does, especially his attitude). But currently, it suits my needs very well (aside from the subject matter at hand).

              "I hope you have some better system for managing them instead of logging into each machine" We do. It's called - Building the system without needing to compile things -at all- to begin with. My administration/work environment/situation =/= yours. Not that I can't, it's just that even with a management system and orchestration, that -still- adds what I consider, unnecessary time; which I have little of. And adding a system of management for -one package-, is certainly not a good use of time in my opinion, especially when the developer of a widely-used system suddenly takes the attitude of "It's my way or the highway." and drops all his users in hot water (Not to mention berating them because he is upset at the Debian team. Very unprofessional.)

              Finally, I'll state it one more time as it appears you have misunderstood. I'm not 'whining' about being delivered 'outdated software'. I'm voicing my complaint that the software was -designed- with a timebomb that caught me, and a quite a few other users off guard, with no immediate way to fix what we -have-, by a developer who has berated his users. Upgrading isn't always a fix or viable in a real-world-setting. If this were something that would affect only home-users for example in a non-corporate environment, I wouldn't be as loud as I am.

      • AssetBurned says:

        So why do you think about fiddling with source code then, if you could simply upgrade?
        Easy solution and would even require less typing then ranting around :-)

  76. blub says:

    so many words but "maintainer" only less than 50 times .

    "Being a Debian maintainer is a responsibility, and responsibility here isn't jwz's." ++
    ->If the package is not maintained any more remove it or find new owner.

    infact: the "this hurts my feelings" message did trigger exactly the right thing - but killed alot of jwz time hmmm

  77. Robert says:

    There should be a fixed procedure how to report bugs to you:

    Field: version -> if not the latest, autoreply with "try the latest x.yz"
    Field: distro (Debian, etc.) -> autoreply "please report bug report to the maintainer of the package."

    That should sort out most of the fake bug reports.

  78. mark says:

    What is unfortunate is that they refer to you as "upstream", so they add additional burden onto you in general - e. g. with users using old and outdated versions contacting you.

    Distributions are like a ghetto and they don't want people to leave, so they put everything in a prison.

  79. Keith says:

    JMZ, You don't have to work with Debian, but you set yourself up for this mess, and you can't expect people who are currently using a proven, stable system to be OK with you pulling the damn rug out from under them. Wither you want to accept it or not, wither you agree with the Debian dev team or not, wither they are in the wrong or not, you -are- at the very least ethically responsible in part for the effect this is having on the community-at-large. And your cursing, demeaning of users (I particularly like where you call anyone who doesn't know how to compile a 'paste eater'.) is flat out petty. REALLY! Why be so goddamn MEAN to people who for the most part, adore your software!

    Your attitude is everything that is wrong with the open source community. I don't always agree with the Debian devs, but at the very least, this is a case of the pot calling the kettle black. You've done nothing to warrant sympathy for your cause, by being just as bad as your 'oppressors', in that by adopting a 'throw it all away' attitude, you have abandoned your users/followers/whatever and I'm sorry, but people tend to not respond so well to "I don't give a fuck about your life or situation, I'm all the matters."

    I hope the situation gets resolved peacefully between you and the Debian devs, but it's going to take sacrifices on your side as well. An ounce of humility is worth a pound of respect. If you want to make a stand, defend yourself with a quiet smile, rather than beat people who have been jarred by their work being disrupted, and prevent them from even having a quick, TEMPORARY solution until the situation between you and the Debian devs is resolved.

  80. Ronny Kaufmann says:

    Please pausing discussion for a little while, so i have the chance to get more popcorn :)

    @JWZ: You're goddamn' right!

    Cheers, Ronny

  81. Aquarius says:

    @JWZ:
    You're doing the work of the gods.

    No one should have to cater Debian maintainers, who are a bunch of technocrats with the delusion that they have the competence or man-power to patch or package things.

  82. ambient says:

    Two things don't make sense to me:

    1) Why is Debian patching this? This warning message is not a security issue. Removing it is a feature.
    2) Why are they noticing this hardcoded bit only now when it starts showing up on live systems? I thought the whole 'stable' and 'secure' mantra meant that the package maintainers are carefully reviewing the code. How can this message be a surprise to them?

    Under these circumstances, how can I trust package maintainers to implement working fixes for other packages or protect me from malicious program behavior? If anything, reading this comment section taught me that Debian has completely gone off the bad end with its forking policy, making me wish they rebranded every single package they are meddling with, instead of pretending it's just an older ('stable') version with bug fixes.

    My trust in the stability and security of Debian has taken a serious hit now. It doesn't help either that this comment section and the bug report are full of passive aggressive little shits that are offended by curse words. Their behavior shows actual malice, and their circlejerk-ish worshiping of the policy reminds me of what drove me away from other operating systems in the first place.

  83. Nice Guy says:

    jwz, nobody wants you! Go kill yourself!

    • Kartellbruder says:

      I agree and just created a fork of xscreensaver that has "jwz is a idiot" as comment in every source file. I will try to get debian to switch to that. It's on github and has no nag screen

  84. Alex says:

    jwz,
    As a Debian user since the early days, I would like to say: thank you for writing xscreensaver, thank you for maintaining and updating xscreensaver over a magnificently long span of time, and thank you for treating and communicating about xscreensaver as a key piece of security software. Thank you also for being sufficiently passionate about the security impact of your software on users to subscribe to the Debian bug reports for the downstream package.
    I can only, uselessly, express condolences for the unfair criticism being thrown about, and the lack of appreciation for your efforts.
    I say this without regard to the merits of the different points of view on how Debian should proceed. After a cursory look, it seems to me that from a security (not feature) standpoint, Debian is not distributing an out-of-date version, but is synced to upstream's current security patches. Thus, the (well-intentioned) warning message need not apply.

    • Ann On says:

      I think the message is there to avoid people sending in bug reports of fixed non-security issues, not only for security issues. So the nag screen still serves a purpose.

      I second your praise of jwz.

  85. floriel says:

    Oh boy, what a clusterfuck.

    A peaceful litte popup message that questions the stable release policy (no updates, only security fixes) get's chopped off by - well, by breaking the very stable release policy it questioned (relasing an absolutely non security related "gets rid of message" patch.
    That in itself is as tragical as it is comical.

    But the following stream of stupid, hateful and downright evil comments is frightening.
    Equally frightening is the fact, that the maintainer of a highly security related package didn't even review the changes made in the code of the packaged version, despite taking the time to tinker with other parts of it.

    This is exactly what shouldn't happen. Adding this to the noumerous cases of stable releases getting broken by the oh-so-save-and-tested minimal security backports, I now see absolutely no reason for using a stable release, anymore.

    Stable releases are like communism: They both might look great in theory, but in a reality relying on humans they are bound to fail.

    PS: Thanks jwz, for your software and all the years of support. Most people would have gotten frustrated and just given up, years ago.

  86. your site screen saver is very beautiful and my likly site to your site i like it your site.....

  87. Peter Funk says:

    I support Jamie. I use and I've been using xscreensaver on my laptops for many many years. It is good piece of software and I am very thankful for having it.

  88. Thankful for Debian says:

    I am thankful for the time that Debian developers and maintainers tirelessly spend for the millions of users that depend on and are empowered by their work. This whole fiasco only emphasizes how important and valuable Debian's work is by providing a buffer between developers and users--at least, developers who are less interested in providing long-term solutions and tools for users than in having fun.

    No one uses Debian stable by accident; we choose it for a reason, and this is exactly why. As a developer myself, I know how easy it is to break existing behavior and add new bugs when adding or refactoring code. In my own projects, I maintain stable, fixes-only branches where appropriate, and I wish all serious software did.

    I am dismayed and disgusted by the vicious, ignorance-driven comments perpetrated against Debian here, on mjg's site, etc. e.g. "I use Arch Linux because Debian..."--Arch already did what you accuse Debian of being guilty of. "Debian maintainers are lazy by not keeping software up-to-date"--Debian patches software in Stable regularly, and their record of patching security vulnerabilities in this package is excellent. I have not seen a comment critical of Debian here that is factually accurate or valid--every one is false and based on utter ignorance of how Debian works, the benefits it provides, and why people choose it. Ignorance is bad enough, willful ignorance worse, and worse still is viciously attacking others from a position of pure ignorance. Utterly shameful.

    Debian does not force its code, its methods, or its policies on anyone. Debian values, above all, freedom, and rightly so. It is clear by the comments here how little value many people place on freedom. Current events show that the computing industry and the world is not headed toward a place of more freedom; someday those who childishly ridicule Debian for their ways may regret their ignorant tirades and come to appreciate liberty and Debian.

    For any who are on the fence and have any sense of decency or care, run these commands (on Debian) and consider how valuable Debian's contributions are:

    $ apt-get source xscreensaver
    $ cd xscreensaver-*/debian/patches
    $ less 22_hacks_barcode.patch
    $ less 23_hacks_glx_glsnake.patch

    Would you want those popping up in front of just anyone who happened to walk in front of your screen? I'd be surprised if no one had anyone whom they valued in their life or workplace that would not be offended by those things. Of course, some people are truly selfish and inconsiderate, as evidenced by this whole situation.

    Let's be clear: JWZ does not own this software. He holds the copyright over the original code that he releases. His license then grants everyone in the world the right to fork it and maintain their own versions with their own rights to them. Playing "please don't do what I said you can do" games is disingenuous. JWZ has been around a long time; he knows how Free Software works. This isn't a children's birthday party where a child gives a gift to the birthday boy and then wants it back; and if it were, the child's mother would take care of that.

    JWZ uses and recommends Apple's Mac OS X over GNU/Linux distros and Free Software? He refers to us as the "open sores community"? (APK, is that you?) Clearly JWZ is no longer a member of the "open source community," nor the Free Software community; he has by his words and actions declared himself a defector. Why he continues to maintain the X-specific and locking code in this project is a mystery. His words and behavior here would seem to indicate that he does not do so out of the goodness of his heart.

    Finally, from the "you-couldn't-make-this-stuff-up-dept.": JWZ gets tired of receiving emails from users about bugs in old versions. To solve this problem, he puts a hidden pop-up message in his software that, when it becomes "old", will trigger and warn people not to use it. In that message, he puts his own email address. Then when people complain to him, he complains about receiving complaints about complaints.

  89. Onur says:

    I have a suggestion. Just take your piece of shit time bomb software and stick into your ass. Looks like you will be more happy if no one but you uses it.

  90. Avoozl says:

    This sounds like the ion3 controversy happening all over again.

  91. a computer hermit says:

    I understand both sides of the issue. A couple of days ago I installed a freshly new Xubuntu 16.04 system: this is a new LTS release, based on Debian's unstable branch. I had multiple issues with screen locking: one was a well known, but still not fixed bug, the other one is something new (google search found nothing, I will maybe create a bug report) - after some googling I discovered they replaced xscreensaver with some new thing called "light-locker". The solution I selected was to replace light-locker with xscreensaver - and voila, screen locking works the way I want it and the bugs disappeared. So Jamie, thanks for the good work and it would be a shame if Debian derivatives could not use Xscreensaver.

    On the other hand: I used Arch Linux a long time and its policy is to package the latest release from upstream with as minimum patching as possible: at first I was amazed with the up-to-date-ness of my system: but then the bugs started to kick in: I found myself in stress, that the update may break something on my setup - sometimes it did and after some time I got tired of workarounds and fixing this: so a distro like Debian, when you have a stable combination of packages and get only security fixes can save you a lot of head-ache, you can update without fear that the update will break something, while you will get your security patches.

  92. Nibby Nebbulous says:

    I love that warning. Please, don't ever remove it. It reminds me of your inimitable charm. It just seems to nicely punctuate the monitor on fire next to it.

    Maybe "XSSaaS"? You could make back the cost in micropayments. (I'm imagining a new hack that's a youtube live feed from a DNA cam.) Or a "Complain to the Author" button which redirects to the Changelog and this blog entry?
    Despite this entertaining outpouring, I imagine getting your perhaps most majestic software removed from Debian to be rather unlikely.

  93. Bastiaan says:

    Send a message to Software in the Public Interest, Inc. informing them that from this point on you except the Debian project from your license, and ask that they cease distributing xscreensaver immediately.

  94. Bram Cohen says:

    Debian's insistence that stable needs to be run this way because it runs on servers would be a lot more understandable if they didn't recommend it to newbies to run as their desktop.

    • LJenkins says:

      newbs shouldn't be using debian for their desktops. unless they're wanting to throw themselves in a deep end anyway. they should start on ubuntu. and everyone should be insisting newbs start on ubuntu.

  95. Melvin says:

    apt-get remove xscreensaver :)

  96. Muhammad Fajar Kurniawan (siskom undip) says:

    sorry for my bad english,
    Im using raspberry pi2(raspbian jessy)

    open from your editor
    sample : sudo nano /home/pi/.xscreensaver
    edit "lock=False" to "lock=True" then save

    solved for me, ty :)

  97. Elizabeth Myers says:

    Just so you know, jwz, Debian has a history of giving a shit what upstream thinks.

    Also, the amount of crap from Debian apologists here is staggering. Serious amounts of autism here. It's shit like this in the Linux community that made me switch to OS X. I'll exchange open source for "not dealing with closed-minded insane autistics" any day, thanks.