Banning QNetworkAccessManager

[Ben Cooksley]

Hi all,

For an extremely long time now, it has been a known issue with the
QNetworkAccessManager that by default it does not follow redirects as
issued by the server it is accessing. This is something the Qt Project
has refused to address using the justification of 'behavioural
compatibility'

This behaviour is contrary to that of just about every other HTTP
stack (with the exception of libcurl from my understanding) and is
behaviour that nobody expects.

As a consequence of this (broken) behaviour, Sysadmin has been
effectively forced to implement workarounds and other compatibility
measures in place to keep applications functional. These measures harm
the long term maintainability of our systems, and sometimes limit our
ability to make services more scalable. In some instances, the cost of
compatibility measures would be too high, resulting in functionality
of applications being broken. I am aware of at least one instance
where if a compatibility measure we maintain is removed, the
application will crash (segfault) during it's operation (a failure
that makes the application unusable)

Prior to now, i've taken the approach of advertising that
QNetworkAccessManager is broken and needs a flag set within
applications when used, however unfortunately this seems to have been
an ineffective approach and cases of broken behaviour continue to
appear (despite this brokeness being known about and advertised since
back in the Qt 4.x series when this class was introduced)

Therefore, given the Qt Project is unlikely to change their position
on this, I would like to propose the following:
1) That effective immediately, QNetworkAccessManager and it's children
classes be banned and prohibited within KDE software, to be enforced
by server side hooks.
2) That we fork QNetworkAccessManager and the associated classes
within the appropriate Framework (to be determined), where the
defective behaviour can then be corrected.

Comments?

Regards,
Ben Cooksley
KDE Sysadmin

Re: Get Hot New Stuff - Legacy Endpoints and Multiple Requests (Discover?)

[Michael Reeves]

There seems to be some sort of ssl certificate issue with autoconfig.kde.org.
On kubuntu this triggers a warning as soon as discover starts that may be a
contributing factor.

On Thu, Jan 30, 2020, 4:20 AM Ben Cooksley  wrote:

> Hi all,
>
> While diagnosing an issue this evening with cdn.kde.org, I noticed
> that we are still getting an extremely large number of requests for
> the legacy OCS/GHNS providers.xml endpoint, which is supposed to only
> exist for compatibility with older applications.
>
> Looking on LXR i've found that a substantial number of our
> applications are still using the old url in their most recent releases
> (see
> https://lxr.kde.org/search?_filestring=&_string=%2Focs%2Fproviders.xml)
>
> All new code should be using autoconfig.kde.org now, and all old code
> should be transitioning to using the new url.
>
> The legacy url is significantly more resource intensive for our
> servers to support and our ability to scale this endpoint is
> substantially more limited when compared with the new endpoint so it
> is important that this is moved over (to the extent Enterprise/Long
> term LTS distributions should be encouraged to patch this)
>
> Additionally, I believe there to be a multiple request bug somewhere
> as this endpoint is being hit approximately 3-4 times in the same
> second for each client we see. Based on the corresponding hit to
> autoconfig.kde.org/discover/featured-5.9.json which happens at the
> same time it is likely the application showing this fault the most is
> Discover.
>
> If we could please get the above all fixed up that would be appreciated.
>
> Thanks,
> Ben
>