Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Kevin Krammer Weird, I seem to have backed up my email and browser form completion data without actually knowing where these programs store them. But maybe Okular's data is so different that I would escape the same backup procedure that work for other programs. Time will tell. Go ahead. I challenge you. Fill out a random PDF form using Okular. Make a backup of said filled out form. Now, lets see you open that backup copy with the data fields in tact, on another computer. Maybe better yet. Task your mother or father with this if they are available. Lets see how they do. As far as other programs documentation... hmm, let see. This list took about 20 seconds to find: https://support.google.com/chrome/bin/answer.py?hl=enanswer=142893 http://support.mozilla.org/en-US/kb/Form-autocomplete http://windows.microsoft.com/en-US/windows7/Fill-in-website-forms-and-passwords-automatically-in-Internet-Explorer-9 Show me where Okular has documented this. (good luck) If you say so. My experience suggests that people do quite well understand that anything not explicitly saved does not alter an opened document. I believe that some people even rely on that, e.g. temporarily changing something (e.g. for printing) and then closing the program to ensure a kind of complete undo. Umm... which is your argument? That it is saved, or that it isn't? Because if the user didn't click save, Okular shouldn't store the data anywhere. But it does. And if the user were to use the save as button, they would expect that to save their data, when in fact, it doesn't. And your notion of having a complete undo doesn't work with Okular either. Because if you open a form, there is no temporarily changing anything. As soon as you change a field, it saves those changes to disk. There is no undo via closing the form without clicking save the way any normal user would expect it to work. That is my biggest concern with how the feature works now. User opens up a PDF file from their flash drive on a computer. Fills in some fields. Prints it. Closes the PDF without ever clicking save. The user would expect that the data that they typed in should not be saved anywhere. Yet, Okular just stored it away on that computer. And X days later, when someone else shows up with a PDF file that has the same name, Okular will just dump the previous persons data directly into their form. That was why I suggested just shutting it off. Or redirecting it to /dev/null. That second suggestion makes little sense now, does it? Actually, it still makes perfect sense. If you don't like that suggestion, there are others that are just as easy: Add a simple question (remember your answers for these fields yes/no?), Move the file storing location to be the folder that contains the form being opened... (and oh, by the way, if that location happens to be the system temp folder, disable the feature), They should default to the most secure, least surprising behavior unless the user requests otherwise. The principal of least surprises, as it were. Because I was sure as hell surprised when I found my tax return information magically re-filling a blank form I had just downloaded, when I _knew_ that my filled out tax form was stored in an encrypted volume that wasn't even mounted at the time. The feature is a disservice to the users of Okular as the maintainers have no notion of handling users data safely and properly. And given the type of data that is frequently entered into PDF forms, that it just unacceptable. But the maintainers of Okular refuse to even talk about it. Hence the suggestion of trying a less confrontational approach. Obviously approach used in the past didn't work out so well. About 5 other people have reported the issue in less confrontational ways in the past 2 years. They were all ignored. And I'd hardly call my approach confrontational. More, shear amazement that they don't seem to be able to grasp that their design of this feature was so bad. After I got over my initial shock, I've posted several followups with reasonable, low work suggestions which could alleviate the issue. But they are too busy feigning insult to want to do anything about it. I appreciate that you are willing to talk about the issue. I think you even agree that its not a good way to handle users data. I was hoping that someone from KDE would recognize a security issue when they saw one, and ask the okular maintainers to spend the 15 minutes it would take them to put in something, anything, to address the issue. Its not a question of developer resources. Many of the potential fixes are dead-simple trivial. An end user like me just shouldn't have to work this hard to report a security / data privacy issue. The handling by the Okular developers has been like a 2 year old with a temper tantrum from the beginning. This bug, for example: https://bugs.kde.org/show_bug.cgi?id=267350 has had no involvement by me. 3 different people
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Tue, Jan 17, 2012 at 9:15 PM, Duncan 1i5t5.dun...@cox.net wrote: I think the real solution is to fix poppler so store the annotations in the Document according to the PDF standard (and use one of the adhoc tricks to store annotations in PS files). This is what every user ... You're probably right, but AFAIK poppler isn't a kde developed library. So in that case the bug should be RESOLVED/UPSTREAM. Meanwhile, anything okular could do without that functionality would remain off-standard, and poppler's lack of the feature might explain why okular did its own workaround. Now that Okular supports printing forms, one work around would be to have a convenient Print To PDF option under Save As. You presumably wouldn't be able to edit the form further after using this though. So I guess that's another out for the okular folks if they want to take it, simply point to upstream, and say they'll consider support for doing it the standard way once poppler implements the standard functionality for them to use. Meanwhile, they can continue to handle it how they do (no change) or possibly do something with ksecrets or the like. But in When Okular is used as a web plugin for Konqueror, It would make sense to keep the current behaviour, and inherit settings from the webbrowser, I guess. -- John C. McCabe-Dansted ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Monday, 2012-01-23, Dan Armbrust wrote: If storing data to prefill form fields would be considered malware, people would have a hard time browsing the Internet since malware removal tools would have deinstalled all incarnations of browsers already. One minor point. A PDF viewer is not web browser. Its much more like a document editor. That is how users expect it to behave - like other document editors. I disagree. A PDF viewer is primarily a viewer (might be a reason that's part of the name). Due to all the interactivity added to the web IMHO even more so than browsers. Even Adobe has a different product for editing PDFs. Their viewer is called Adobe Reader for a reason. Don't you suppose folks would find it a little unsettling if LibreOffice just silently saved anything you typed into it, without asking, in a hidden location, every time you even opened a document with it? Because that is exactly what Okular does. And what every browser and other programs with form like fields do. E.g. my email program saves recently used email addresses, I heard other email programs to that as well. I only brought the webbrowsers into the conversation to point out that other software that stores user data for auto-form filling always gives the user control over said data. And I brought web browsers into the converstation to point out that form completion is a widely accepted feature inspite of it requiring storing user input detached from the actual document. And I believe I wrote several times that their implementation of said feature should be considered a role model, i.e. allowing to clear cached input and/or allowing to deactivate. My take is that asking for a more secure implementation of a feature, especially since there are role models for how that works, has magnitudes more chances of being considered worth while than asking for removable of a feature that is considered useful by others inspite of not ideal implementation. And another point. Nobody has stepped forward to defend the current feature. And why would that be neccessary? Because the feature, in its current form is almost completely useless. The only possible thing I can think of that it does is not lose your work if you close Okular, go out to lunch, then come back and continue working. But storing your work - aka - filled form data for any significant amount of time? No. Its useless. Interesting. As I said I've not used Okular to fill forms but I find that feature to generally very useful when filling web forms. I am actually pretty certain I would find it useful for PDF forms as well. I have such a form for reimbursement request for certain expenses last time I had to use it Okular couldn't fill forms yet. I would certainly find it an improvement not to have to retype name and account details all the time. But I can see this being of limited use if you only ever fill forms only once in your life time. You don't even know where it stored it. Where does your browser store its completion data? How well documented is that location You can't back it up. Weird, I seem to have backed up my email and browser form completion data without actually knowing where these programs store them. But maybe Okular's data is so different that I would escape the same backup procedure that work for other programs. Time will tell. It doesn't even _tell_ you that it didn't actually put the data into the form. You won't find out until you send the document to a coworker, and they tell you it is blank. The only thing this feature will lead to is a horrible user experience. If you say so. My experience suggests that people do quite well understand that anything not explicitly saved does not alter an opened document. I believe that some people even rely on that, e.g. temporarily changing something (e.g. for printing) and then closing the program to ensure a kind of complete undo. That was why I suggested just shutting it off. Or redirecting it to /dev/null. That second suggestion makes little sense now, does it? But the maintainers of Okular refuse to even talk about it. Hence the suggestion of trying a less confrontational approach. Obviously approach used in the past didn't work out so well. So, here we are, 2 years later, with it still behaving in the same brain-dead way. From what I gathered it is behaving quite ok. Sure, it could do better on the security/privacy front by incorporating features found in browsers' implementations but it seems to do its purpose of putting text into empty fields based on previous user input to said fields. Cheers, Kevin -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring signature.asc Description: This is a digitally signed message part. ___ This message is from the kde mailing list. Account management:
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Tuesday, 2012-01-17, Duncan wrote: Kevin Krammer posted on Sun, 15 Jan 2012 18:08:31 +0100 as excerpted: On Sunday, 2012-01-15, Dan Armbrust wrote: Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked me whether I wanted to store form data. Can you attach a screenshot of an application asking that? I don't know about asking, but it's a preferences setting. I was mainly puzzled by the fact that there are obviously applications asking for it versus just being a switchable preference. Would be interesting to see how that question looks like. There's also the private browsing or whatever the app decides to call it, mode, where everything (cookies, form completion, browsing history, etc) is forgotten, tho that normally has to be specifically toggled on. Indeed, hence the suggestion to pursue a form completion data handling similar to those examples. And they have an off switch. And, they definitely don't autocomplete fields which are know to contain private info - aka - passwords. Unless you go through another dialog telling it to remember the password. And they give you a menu option to clear it. And, most browsers now have a don't remember anything mode. Okular has none of those. Right, hence the recommendation for lobby for an implementation doing that. Actually, I wonder if this idea could get a bit more traction in view of the new ksecrets thing? Unlikely, this is just a new implementation of already existing functionality. The currently proposed KSecret API is also still a bit weird ;-) That's where I'd try to take it at this point, since ksecrets IS new and shiny and fascinating! =:^) Not from an application developer's point of view, sorry :-) However I don't see any facts supporting the claim of virus like behavior. Hiding users data without permission and without the users knowledge certainly is virus like behavior. No, virus behavior is attaching itself with the purpose of distribution and spreading. I don't think Okular is doing either. It seems he's using virus not in the technically narrow virus sense, but in the broader malware sense, inclusive of trojans, etc. If storing data to prefill form fields would be considered malware, people would have a hard time browsing the Internet since malware removal tools would have deinstalled all incarnations of browsers already. While okular really can't be considered a virus in the technically narrow sense (as you pointed out), certainly, the argument here is that it's behaving like a trojan, so if one accepts an extremely fuzzy definition of virus that really means something more like malware in general. I' am still not convinced. How does Okular behave like a trojan? What is the function it is pretending to do in order to hide the function it was designed to do and which function would that be? I would recommend lobbying for secure storage of form completion data like other form completing programs do. I doubt it would help. I wouldn't be so sure. Same here, particularly with the new ksecrets angle to explore. If I were an okular dev I think I might jump on this one just for the opportunity to play with that! =:^) My take is that asking for a more secure implementation of a feature, especially since there are role models for how that works, has magnitudes more chances of being considered worth while than asking for removable of a feature that is considered useful by others inspite of not ideal implementation. BTW, Kevin, any wild guess or informed opinion on how long kde4 will continue with the semi-annual feature updates, given kde5 in the wings? My guess is at least 4.10 but I find even 4.11 likely. An important fact here is that while during KDE4 times the split of names or terminology around KDE products was mostly cosmetic, KDE5 will very likely make actual use of the new disambiguation. The current work on KDE frameworks is not only a matter of making KDE libraries less interdependent, it also serves as a starting point for separation of development cycles. I.e. it is almost certain that there will be a release of KDE frameworks before any of the KDE application products are rebased onto them. Some application developers will of course starting to port earlier, e.g. when technolog preview releases become available, but that will largely depend on specifiy API usages of those apps (applications using fewer APIs or only very core APIs can expect fewer changes between a TP release and the final one). Of course as others have said, I expect kde5 to be a rather minor deal compared to kde4, and that it'll be handled rather better. An extremely important difference IMHO is that while there will be some changes in implementation (e.g. due to
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
If storing data to prefill form fields would be considered malware, people would have a hard time browsing the Internet since malware removal tools would have deinstalled all incarnations of browsers already. One minor point. A PDF viewer is not web browser. Its much more like a document editor. That is how users expect it to behave - like other document editors. Don't you suppose folks would find it a little unsettling if LibreOffice just silently saved anything you typed into it, without asking, in a hidden location, every time you even opened a document with it? Because that is exactly what Okular does. I only brought the webbrowsers into the conversation to point out that other software that stores user data for auto-form filling always gives the user control over said data. My take is that asking for a more secure implementation of a feature, especially since there are role models for how that works, has magnitudes more chances of being considered worth while than asking for removable of a feature that is considered useful by others inspite of not ideal implementation. And another point. Nobody has stepped forward to defend the current feature. Because the feature, in its current form is almost completely useless. The only possible thing I can think of that it does is not lose your work if you close Okular, go out to lunch, then come back and continue working. But storing your work - aka - filled form data for any significant amount of time? No. Its useless. You don't even know where it stored it. You can't back it up. You can't tie it to the actual document you were working on. You can't send it to anyone else. The feature does more harm than good. It would be better if it didn't even give the illusion of allowing you to save data typed into form fields - because it doesn't. It doesn't even _tell_ you that it didn't actually put the data into the form. You won't find out until you send the document to a coworker, and they tell you it is blank. The only thing this feature will lead to is a horrible user experience. That was why I suggested just shutting it off. Or redirecting it to /dev/null. But the maintainers of Okular refuse to even talk about it. So, here we are, 2 years later, with it still behaving in the same brain-dead way. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Kevin Krammer posted on Mon, 23 Jan 2012 01:43:30 +0100 as excerpted: My guess is at least 4.10 but I find even 4.11 likely. An important fact here is that while during KDE4 times the split of names or terminology around KDE products was mostly cosmetic, KDE5 will very likely make actual use of the new disambiguation. The current work on KDE frameworks is not only a matter of making KDE libraries less interdependent, it also serves as a starting point for separation of development cycles. Thanks. I had read hints about kde5 and seen mentions of kde frameworks, but really had little clue on kde5 and about zero on frameworks, so your answers and informed opinion here gave me quite a bit to chew on. Meanwhile, the educated guess about 4.10 almost certainly and 4.11 probably... at least gives me enough feel of the situation so I don't feel quite as out there speculating about say 4.11 as a time-frame. It seems your feel for where 4.x goes in terms of versioning isn't /that/ far from where I was thinking, since 4.10 seemed reasonably safe, and 4.11 a good chance, tho I suspect (as I think I said) that the 6-month releases may slow a bit by the time it comes out as the focus switches to 5/frameworks. And the point about the 34 dcop/dbus switch (among other service changes in that version bump) not reoccurring with 45/frameworks makes sense. I had seen the same general point expressed before, but your wording of it seemed clearer, either because I /had/ seen the point before so you got the benefit of repetition, or because it /was/ clearer, I can't rightly say which. Actually probably some of both! =:^) Beyond that, there's enough new there that as I said, I'll have to chew a bit to absorb it, tho at this point I'm inclined to say I agree with what I understand of it so far. Thanks again! =:^) -- Duncan - List replies preferred. No HTML msgs. Every nonfree program has a lord, a master -- and if you use the program, he is your master. Richard Stallman ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Tue, Jan 17, 2012 at 8:39 AM, Duncan 1i5t5.dun...@cox.net wrote: Actually, I wonder if this idea could get a bit more traction in view of the new ksecrets thing? That'd play off the whole fascination with the new and shiny technology thing, instead of being seen as the drudge-work that hooking up to kwallet or just implementing an ordinary don't-save option and clear-saved button. I think the real solution is to fix poppler so store the annotations in the Document according to the PDF standard (and use one of the adhoc tricks to store annotations in PS files). This is what every user expects, and would allow them to email the PDF, open the PDF in stardard PDF readers and annotation software, etc. That's where I'd try to take it at this point, since ksecrets IS new and shiny and fascinating! =:^) In other words, not an existing standard for storing PDF annotations :P. -- John C. McCabe-Dansted ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
John McCabe-Dansted posted on Tue, 17 Jan 2012 19:18:58 +0800 as excerpted: On Tue, Jan 17, 2012 at 8:39 AM, Duncan 1i5t5.dun...@cox.net wrote: Actually, I wonder if this idea could get a bit more traction in view of the new ksecrets thing? That'd play off the whole fascination with the new and shiny technology thing, instead of being seen as the drudge-work that hooking up to kwallet or just implementing an ordinary don't-save option and clear-saved button. I think the real solution is to fix poppler so store the annotations in the Document according to the PDF standard (and use one of the adhoc tricks to store annotations in PS files). This is what every user expects, and would allow them to email the PDF, open the PDF in stardard PDF readers and annotation software, etc. That's where I'd try to take it at this point, since ksecrets IS new and shiny and fascinating! =:^) In other words, not an existing standard for storing PDF annotations :P. You're probably right, but AFAIK poppler isn't a kde developed library. So in that case the bug should be RESOLVED/UPSTREAM. Meanwhile, anything okular could do without that functionality would remain off-standard, and poppler's lack of the feature might explain why okular did its own workaround. So I guess that's another out for the okular folks if they want to take it, simply point to upstream, and say they'll consider support for doing it the standard way once poppler implements the standard functionality for them to use. Meanwhile, they can continue to handle it how they do (no change) or possibly do something with ksecrets or the like. But in view of the standard, were I an okular dev, I'd be hesitant to develop a whole ksecrets infrastructure, just to tear it out when poppler grew support for that bit of the standard, which would favor okular keeping pretty much what it has as it has it, until then. So RESOLVED/UPSTREAM would seem to be an appropriate solution to the okular bug, at this point, telling the filer to reopen when upstream supports the standard. -- Duncan - List replies preferred. No HTML msgs. Every nonfree program has a lord, a master -- and if you use the program, he is your master. Richard Stallman ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Kevin Krammer posted on Sun, 15 Jan 2012 18:08:31 +0100 as excerpted: On Sunday, 2012-01-15, Dan Armbrust wrote: Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked me whether I wanted to store form data. Can you attach a screenshot of an application asking that? I don't know about asking, but it's a preferences setting. There's also the private browsing or whatever the app decides to call it, mode, where everything (cookies, form completion, browsing history, etc) is forgotten, tho that normally has to be specifically toggled on. While I consider this is a good thing and would appreciate the option in okular as well, it's not something that fits well with the previously chosen example of a public kiosk, library computer, or other shared computer (my folks worked at a mission in El Salvador for awhile; everybody shared the same computer and could read email, etc, unless it was web-based, but of course then if the browser is set to save cookies and remember form-fills...), since because in most cases it doesn't prompt every time, a user accustomed to using a private computer and not worrying about it isn't likely to realize the danger and verify settings on a public computer, either. I wonder how many facebook/myspace/twitter/etc users have had their accounts hacked simply thru use of a friend's computer or one at the library, and being careless about the remember me settings, etc, that most sites have (that usually control the site's cookie settings) on their logins? Not to mention banks... Sure, a responsible kiosk operator will have setup responsible settings, but then again, it could be argued that a responsible kiosk operator would wipe or entirely reimage between users, as well. There's a lot of users caught-out that way, I'm sure. So yes, I agree an option would be nice, and having a clear-data function would be EXCELLENT, but I don't believe the kiosk example was particularly apropos, given the commonly accepted behavior of most browsers, etc, extended to the same kiosk example. And they have an off switch. And, they definitely don't autocomplete fields which are know to contain private info - aka - passwords. Unless you go through another dialog telling it to remember the password. And they give you a menu option to clear it. And, most browsers now have a don't remember anything mode. Okular has none of those. Right, hence the recommendation for lobby for an implementation doing that. Actually, I wonder if this idea could get a bit more traction in view of the new ksecrets thing? That'd play off the whole fascination with the new and shiny technology thing, instead of being seen as the drudge-work that hooking up to kwallet or just implementing an ordinary don't-save option and clear-saved button. That's where I'd try to take it at this point, since ksecrets IS new and shiny and fascinating! =:^) However I don't see any facts supporting the claim of virus like behavior. Hiding users data without permission and without the users knowledge certainly is virus like behavior. No, virus behavior is attaching itself with the purpose of distribution and spreading. I don't think Okular is doing either. It seems he's using virus not in the technically narrow virus sense, but in the broader malware sense, inclusive of trojans, etc. While okular really can't be considered a virus in the technically narrow sense (as you pointed out), certainly, the argument here is that it's behaving like a trojan, so if one accepts an extremely fuzzy definition of virus that really means something more like malware in general. While I would have certainly chosen malware or trojan instead of virus, here, with a suitably fuzzy definition, I do see his point. That said, while I see his position and certainly agree that a don't save data option and clear saved data button would be useful, I certainly don't consider it a problem on the order of, say, konqueror not having proper security certificate management for two years after kde was declared ready for ordinary users with 4.2... (finally fixed in 4.6, IIRC) in an era with both internet banking and the compromise of entire certificate authorities! That was a FAR more serious breach of the public trust, IMO, while this one's an it would be nice thing, a rather vast difference in priority. As I've stated before, the it's only a toy, use a real browser if it matters attitude toward konqueror is one of the big reasons I switched to firefox. I would recommend lobbying for secure storage of form completion data like other form completing programs do. I doubt it would help. I wouldn't be so sure. Same here, particularly with the new ksecrets angle to explore. If I were an okular dev I think I might jump on this one just
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Saturday, 2012-01-14, Dan Armbrust wrote: On Fri, Jan 13, 2012 at 11:06 AM, Kevin Krammer kevin.kram...@gmx.at wrote: When introducing a new party to a converstation, in this case the KDE user mailinglist, it is usually very helpful to provide context to said new party. When the discussion has happened on one mailinglist so far, a good way to do that is to provide a link to the discussion start in the original mailinglist's archive. Apologies, I thought I included the kde list in the initial posts, which had the summary info. It must not have gone through. Ah, I see. Thanks for the links. In short,if you: Download a PDF. Fill in personal information. Print it. Close it. Never once even hitting save... Okular dumps every bit of data that you typed into a clear text file in a hidden directory. At a minimum, its really bad behavior. At worst, on say, a library terminal, it is opening up every unsuspecting user to having their information stolen. Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. So my guess is that the completion data is not stored in kwallet, like e.g. for Konqueror? There is no warning, notice, or any such clue within ocular that it is doing this. Its a pretty basic user-interface paradigm that you shouldn't store data like that without the users permission. Well, I've to admit I've never seen any program doing that. When I fill in forms in e.g. Firefox or Konqueror, it doesn't say anything along those lines either, but when I am filling in the same form later again, it somehow can propose reasonable values for certain fields. So my guess is it also stores my previous input somewhere. Hopefullly locally like Okular and not uploading to the server! Especially in an application that handles PDF files, which are used for private and personal stuff all the time. See above. At least most of my online bookings contain personal data. How do you handle those cases? Anyway, I agree that the completion data should probably be saved in an encrypted file, e.g. KWallet, instead of plain text to mitigate the exposing data in case the security of the user's local storage is compromised. However I don't see any facts supporting the claim of virus like behavior. IMHO that sounds a bit like trying to trigger an emotional rather than an rational response in readers of that posting, which ultimately tends to hurt the cause more than it helps. E.g. other supportes of the cause might find out they have been tricked and withdraw their support inspite of still being concerned about core issues. I would recommend lobbying for secure storage of form completion data like other form completing programs do. Cheers, Kevin -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring signature.asc Description: This is a digitally signed message part. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. And they have an off switch. And, they definitely don't autocomplete fields which are know to contain private info - aka - passwords. Unless you go through another dialog telling it to remember the password. And they give you a menu option to clear it. And, most browsers now have a don't remember anything mode. Okular has none of those. However I don't see any facts supporting the claim of virus like behavior. Hiding users data without permission and without the users knowledge certainly is virus like behavior. If they didn't click save, you shouldn't save. Its pretty simple. I would recommend lobbying for secure storage of form completion data like other form completing programs do. I doubt it would help. The feature is so mis-conceived from the get-go that it serves almost no purpose. There is almost no point in storing form data for Form A in randomly named File B. If you even rename file A, Okular gets confused and can no longer associate the data from File B with Form A. Don't even think about trying to sent Form A to another person... it doesn't work. The only way it could be properly implemented is to store the data in the actual PDF file, where it belongs. But that is hard. So it seems unlikely that it will ever be implemented in the near future. The only sane thing to do is to turn the feature off. At least by default. At least give the user some control over it. Which I suggested 2 years ago. And here we _still_ are. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Sunday, 2012-01-15, Dan Armbrust wrote: Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked me whether I wanted to store form data. Can you attach a screenshot of an application asking that? And they have an off switch. And, they definitely don't autocomplete fields which are know to contain private info - aka - passwords. Unless you go through another dialog telling it to remember the password. And they give you a menu option to clear it. And, most browsers now have a don't remember anything mode. Okular has none of those. Right, hence the recommendation for lobby for an implementation doing that. However I don't see any facts supporting the claim of virus like behavior. Hiding users data without permission and without the users knowledge certainly is virus like behavior. No, virus behavior is attaching itself with the purpose of distribution and spreading. I don't think Okular is doing either. If they didn't click save, you shouldn't save. Its pretty simple. Well, even some document creation applications are moving to an autosafe approach. I am not aware of any application with autocompletion fields which asked whether to save the autocompletion data. But again my own experience is limited to the applications I use, which KDE and Mozilla programs. I would recommend lobbying for secure storage of form completion data like other form completing programs do. I doubt it would help. I wouldn't be so sure. Securely storing form completion data is what lots of other programs do, so find it likely that moving from a plain text storage to an encrypted storage would find support especially among users of that features, while asking for removal will not. The feature is so mis-conceived from the get-go that it serves almost no purpose. Hmm. I haven't used Okular's implementation yet but generally I find form completion support to be rather useful. I used it all the times when filling in web forms or completing email addresses. There is almost no point in storing form data for Form A in randomly named File B. Right, hence the suggestion to ask for an implementation using standard form completion storage solutions, e.g. on KDE that would be KWallet. If you even rename file A, Okular gets confused and can no longer associate the data from File B with Form A. Right, using URIs works better for web sites. File A's SHA1 hash might be sufficiently unique though. Don't even think about trying to sent Form A to another person... it doesn't work. The only way it could be properly implemented is to store the data in the actual PDF file, where it belongs. But that is hard. So it seems unlikely that it will ever be implemented in the near future. Right, I would consider that an additional feature. Treating the current document more as a template for creating a new document. Such a feature should probably deploy explicit saving since it changes the document at hand. The only sane thing to do is to turn the feature off. At least by default. At least give the user some control over it. Which I suggested 2 years ago. And here we _still_ are. My guess is that asking for deactivation or removal of a feature cherished by other users and found in other form displaying programs will always be met with more resistance than asking for an improved implementation, e.g. how browsers do it. Cheers, Kevin -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring signature.asc Description: This is a digitally signed message part. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Am 15.01.2012 18:08, schrieb Kevin Krammer: On Sunday, 2012-01-15, Dan Armbrust wrote: Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked me whether I wanted to store form data. Can you attach a screenshot of an application asking that? Mircosofts Internet explorer is doing it. The first time you start editing filed it asks if the data should be stored. Usually the user say yes and will never be asked again. I am not sure if there is a hint where data are stored and what problems may be involved by this. Regards Martin ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
It is an important issue. Specially under countries protecting personal data by law, like spain for example in where law says personal data belongs to the person it refers to instead of the company or program having it. Despite it being free software I think it should be fair at least protecting that data or warning user about this issue. On Jan 15, 2012 7:31 PM, Martin (KDE) k...@fahrendorf.de wrote: Am 15.01.2012 18:08, schrieb Kevin Krammer: On Sunday, 2012-01-15, Dan Armbrust wrote: Hmm. Most software with autocompletion support does that. E.g. browsers, email programs. They also ask your permission first. Interesting. Neither Konqueror, Firefox, KMail or Thunderbird have asked me whether I wanted to store form data. Can you attach a screenshot of an application asking that? Mircosofts Internet explorer is doing it. The first time you start editing filed it asks if the data should be stored. Usually the user say yes and will never be asked again. I am not sure if there is a hint where data are stored and what problems may be involved by this. Regards Martin ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Fri, Jan 13, 2012 at 16:03, Dan Armbrust daniel.armbrust.l...@gmail.com wrote: Dan, I understand you are frustrated. But this here doesn't help to solve the problem. In fact it makes it a lot less likely that Albert or one of the other Okular developers will work on it. So ultimately you are hurting your case. Now let's move this forward constructively, please. There are several ways to do this: * Work on it yourself if you have the skills. * Convince someone else to work on it. * Wait until Albert or one of the other Okular developers finds time for it. I am sure they have registered by now that this is important to you. Cheers Lydia -- Lydia Pintscher KDE Community Working Group / KDE e.V. board member http://kde.org - http://about.me/lydia.pintscher I'm really sorry that no one reading this thread seems to be able to comprehend the dis-service that KDE and Ocular are doing to their users. Okular is behaving almost as badly as a virus. Again: It's obvious you are frustrated, Dan. But this isn't helping us all solve the issue here. This should be treated as a security issue. And it should be handled as one. And fixed. Quickly. http://www.kde.org/info/security/ has details about security issues and their handling in KDE. Instead, we have Albert denying that it is a problem... or, ignoring is, since hey, there are all of these other ways that people could steal data, what harm will one more do? Even if someone else fixed it, he probably wouldn't accept the patch, since he considers it a feature. Did you ask if he'd accept a patch by someone else? This bug doesn't impact me. Because I uninstalled Okular 2 years ago, when I discovered the problem. This bug impacts everyone else that ever uses Okular - they just don't know it. So, I'm advocating for them, since no one else seems to care. All of us here care about KDE. There are however _a lot_ of things to care about in KDE. Too many of them in fact. This particular issue is higher on your list than Albert's. That doesn't in itself make either of you a bad person. I reported this issue to the developers two years ago. I even suggested a number of ways that it could be addressed. The most trivial of fixes would have taken a developer about 2 minutes - simply turn off the damn feature - or redirect it to /dev/null. But, no one will turn it off. I assume there is a reason for that? So, we remain at a stalemate. With Okular behaving like a virus. And Albert calling it a feature. No one else with the power to fix it cares, and the users get the shaft. Please leave out the retorics. Then we can actually try to move this forward. I'm trying to help you here. Cheers Lydia -- Lydia Pintscher KDE Community Working Group / KDE e.V. board member http://kde.org - http://about.me/lydia.pintscher ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On 1/13/2012 9:03 AM, Dan Armbrust wrote: Dan, I understand you are frustrated. But this here doesn't help to solve the problem. In fact it makes it a lot less likely that Albert or one of the other Okular developers will work on it. So ultimately you are hurting your case. Now let's move this forward constructively, please. There are several ways to do this: * Work on it yourself if you have the skills. * Convince someone else to work on it. * Wait until Albert or one of the other Okular developers finds time for it. I am sure they have registered by now that this is important to you. Cheers Lydia -- Lydia Pintscher KDE Community Working Group / KDE e.V. board member http://kde.org - http://about.me/lydia.pintscher I'm really sorry that no one reading this thread seems to be able to comprehend the dis-service that KDE and Ocular are doing to their users. Okular is behaving almost as badly as a virus. This should be treated as a security issue. And it should be handled as one. And fixed. Quickly. Instead, we have Albert denying that it is a problem... or, ignoring is, since hey, there are all of these other ways that people could steal data, what harm will one more do? Even if someone else fixed it, he probably wouldn't accept the patch, since he considers it a feature. This bug doesn't impact me. Because I uninstalled Okular 2 years ago, when I discovered the problem. This bug impacts everyone else that ever uses Okular - they just don't know it. So, I'm advocating for them, since no one else seems to care. I reported this issue to the developers two years ago. I even suggested a number of ways that it could be addressed. The most trivial of fixes would have taken a developer about 2 minutes - simply turn off the damn feature - or redirect it to /dev/null. But, no one will turn it off. So, we remain at a stalemate. With Okular behaving like a virus. And Albert calling it a feature. No one else with the power to fix it cares, and the users get the shaft. What a sad state. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html. Dude.. if you spent half as much time submitting a patch, as you did complaining about the issue, it would be fixed yesterday.. Quit complaining, you aren't paying for this software. Fix it yourself, or stop using it. No one cares just because you want to whine like a spoiled little brat. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Dude.. if you spent half as much time submitting a patch, as you did complaining about the issue, it would be fixed yesterday.. Quit complaining, you aren't paying for this software. Fix it yourself, or stop using it. No one cares just because you want to whine like a spoiled little brat. Same goes to the developers. They could have fixed it in about 2 minutes, 2 years ago. If you actually read the e-mails in this thread, you would see that I have stopped using it. I'm continuing to make noise about it because Okular is exposing personal data of every other unsuspecting user that ever touches it. The developers of Okular don't seem to care. Perhaps someone higher up at KDE who understands a security issue when they see one, will. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
When introducing a new party to a converstation, in this case the KDE user mailinglist, it is usually very helpful to provide context to said new party. When the discussion has happened on one mailinglist so far, a good way to do that is to provide a link to the discussion start in the original mailinglist's archive. On Friday, 2012-01-13, Dan Armbrust wrote: Dude.. if you spent half as much time submitting a patch, as you did complaining about the issue, it would be fixed yesterday.. Quit complaining, you aren't paying for this software. Fix it yourself, or stop using it. No one cares just because you want to whine like a spoiled little brat. Same goes to the developers. They could have fixed it in about 2 minutes, 2 years ago. If you actually read the e-mails in this thread, you would see that I have stopped using it. I'm continuing to make noise about it because Okular is exposing personal data of every other unsuspecting user that ever touches it. Assuming that was the reason for including this support mailing list, having basically no information about the problem does more harm than good. Given the tiny pieces of information so far (exposing personal data) I have to assume that Okular is attaching some kind of user input history to documents? Is it attaching itself (behaving like a virus) to the document? The developers of Okular don't seem to care. Perhaps someone higher up at KDE who understands a security issue when they see one, will. You mean the Okular maintainer? No idea who that currently is but did that person participate in the discussion on the Okular list? Cheers, Kevin -- Kevin Krammer, KDE developer, xdg-utils developer KDE user support, developer mentoring signature.asc Description: This is a digitally signed message part. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Fri, Jan 13, 2012 at 11:06 AM, Kevin Krammer kevin.kram...@gmx.at wrote: When introducing a new party to a converstation, in this case the KDE user mailinglist, it is usually very helpful to provide context to said new party. When the discussion has happened on one mailinglist so far, a good way to do that is to provide a link to the discussion start in the original mailinglist's archive. Apologies, I thought I included the kde list in the initial posts, which had the summary info. It must not have gone through. Here is the bug report in question: https://bugs.kde.org/show_bug.cgi?id=267350 I also reported this to the developer list about 2 years ago: http://mail.kde.org/pipermail/okular-devel/2010-February/006386.html In short,if you: Download a PDF. Fill in personal information. Print it. Close it. Never once even hitting save... Okular dumps every bit of data that you typed into a clear text file in a hidden directory. At a minimum, its really bad behavior. At worst, on say, a library terminal, it is opening up every unsuspecting user to having their information stolen. There is no warning, notice, or any such clue within ocular that it is doing this. Its a pretty basic user-interface paradigm that you shouldn't store data like that without the users permission. Especially in an application that handles PDF files, which are used for private and personal stuff all the time. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Tue, Jan 10, 2012 at 3:56 PM, Albert Astals Cid aa...@kde.org wrote: Want me to unsubscribe you from the list? Reached this point in what the only thing you want to do is harass me i think it is the only sensible thing to do. Albert Now _there_ is a mature response. Users report a serious data security issue with product. Developers stick their fingers in their ears and go la la la. Users get annoyed with developers, toss a mild insult their way to get their attention, and developers just silence the users. Go back to sticking their fingers in their ears and going la la la. The _sensible_ thing for you to do is say Thanks for reporting this security issue! Sorry we missed it / didn't think about that. Instead, you continue to pretend the problem doesn't exist. Any any computer in the world that is configured as a public terminal - say - in a library - where people download tax forms, fill them in and print them continues to dump peoples personal data into a clear text file, without their knowledge or authorization. And anyone else can come along and take that information. Good job. Hope you are proud of yourselves. If you get satisfaction over ejecting me from the mailing list for pointing out the absurdity of your position, have fun. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
Sorry, I can't say that, i know it exists, I've known it for ages, i just don't feel it is the next think i have to do in my life (next thing is getting my Kindle and reading some stuff), if you think it is important, do it yourself or get some money and hire someone to fix it, i know a few KDE devels willing to take money to fix stuff. So, you have proven that you don't take a security issue seriously. Are there any other developers that do? The easy fix is to disable this feature until it can be redeveloped with some thought about proper handling of peoples data. But I can't seem to convince Albert that this is anything more than a run-of-the-mill bug, or even a feature request. Any computer in the world that is configured as a public terminal - say - in a library - where people download tax forms, fill them in and print them continues to dump peoples personal data into a clear text file, without their knowledge or authorization. And anyone else can come along and take that information. This is free software and as you can read in the GPLv2 license This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Yeah. I'm sure that will make the victims of identity theft feel a lot better. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Wed, Jan 11, 2012 at 7:44 AM, Dan Armbrust daniel.armbrust.l...@gmail.com wrote: So, you have proven that you don't take a security issue seriously. To be fair, fixing this bug wouldn't stop sensitive information appearing in swap. Sensitive information also has a tendency to appear in /tmp and /var as well. The EFF recommends full disk encryption, which would stop this appearing in clear text anywhere. The easy fix is to disable this feature until it can be redeveloped with some thought about proper handling of peoples data. Iirc, last time I used this feature it wouldn't let me print the annotations, and due to the policy of storing the annotations in a non-standard format other pdf annotation software couldn't recover my annotations. I ended up printing a screenshot. Having a warning that this annotation feature was likely to eat my homework and dump it in an unencrypted partition would've been nice. -- John C. McCabe-Dansted ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
Re: [kde] [Okular-devel] [Bug 267350] filling out a PDF form saves data to some file i ~/.kde/share/apps/okular/docdata/
On Wed, Jan 4, 2012 at 11:26 PM, jordon...@gmail.com wrote: https://bugs.kde.org/show_bug.cgi?id=267350 --- Comment #1 from Jackson Peacock pickled kde pepperedpeacock org 2011-04-04 03:11:36 --- I just noticed the same issue. I had stored some filled out forms on an encrypted drive. I ran into a bug where the fields I entered didn't weren't being displayed after being saved (not even an empty field). I figured the file had been corrupted so I copied the original blank form over the filled out one. When I opened it all the information I had entered into the form was there despite the file having been overwritten. After looking around I found it had been written to .kde/share/apps/okular/docdata - on an unencrypted drive. This was quite startling to me and not what I expected. I can understand if there are limitations to the PDF format that prevent you from storing the data in the PDF file itself, however you should at least inform the user of where the data is being stored before writing it. Preferably, it should be stored in the same directory as the PDF as well. --- Comment #2 from Jackson Peacock pickled kde pepperedpeacock org 2011-04-10 20:04:21 --- Another limitation of doing it this way is that it appears impossible to have multiple copies of the same form filled out differently, even if saved in different directories. For example, I filled out my tax forms, and then created a new directory with the copied blank forms to do my girlfriend's taxes. However, when I opened them they had my value stored in them. The workaround was to rename the forms and then edit them, but it would match user expectations better if each copy of the form had it's own set of values. Finally, I do think the priority on this bug should be higher as it relates to user privacy/security. --- Comment #3 from jordonwii gmail com 2012-01-05 05:26:15 --- Agree with #2. I know the devs are aware of this because there are other issues regarding the opening files and having the form remain being filled out (intentional feature). However, unsure if they are aware of the security implications of this. Developers have any comment? I, and several others have pointed this out to the developers of okular nearly 2 years ago. They are blind, naive, and dare I say foolish. They call this a feature and refuse to acknowledge that it creates security holes all over the place. They have shown no desire to even take the report seriously. http://mail.kde.org/pipermail/okular-devel/2010-February/006386.html Meanwhile, anyone that has ever used okular to fill out a form with sensitive information has had that information dumped, in clear text, onto whatever computer they happened to be using. Without their knowledge, or permission. KDE shouldn't even include this program until they fix this. It's a bad, bad, bad design. Shame on the okular developers for continuing to ignore the problem. ___ This message is from the kde mailing list. Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
