Bug#876363: octave fetches network resources when network access disabled

[Mike Miller]

On Thu, Apr 05, 2018 at 15:31:06 +0100, D Haley wrote:
> Do we know if there is a particular commit that upstream applied to fix
> this?

FTR, it was fixed in this upstream commit

https://hg.savannah.gnu.org/hgweb/octave/rev/1265c7f0119a

And this fix is included in the upcoming Octave 4.4 release.

-- 
mike


signature.asc
Description: PGP signature

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Ah, ignore my last. I had incorrectly read the version numbering - I am
still running the same version as originally reported.

Apologies for the noise.

On 22/09/17 16:53, Mike Miller wrote:
> Control: forwarded -1 https://savannah.gnu.org/bugs/?52090
> 
> On Thu, Sep 21, 2017 at 23:03:57 +0100, D Haley wrote:
>> 1) The GUI should be clear as to what setting the backend is currently
>> using. I think it is a concern that there are two settings that have the
>> capacity to be "out-of-sync".
> 
> I've filed upstream bug https://savannah.gnu.org/bugs/?52090 to resolve
> this in Octave, so at least the settings and their behavior will agree.
> 
> Feel free to participate there, or reply here if you think I got
> something wrong in capturing this problem.
> 
>> 2) From a debian user's/policy perspective, I think the GUI should
>> default to not using a network connection for an application where this
>> might be surprising to an end user. Either querying the user again, or
>> defaulting to false would be best
> 
> I will try to push for upstream to keep the default value to false. A
> compromise position might be to have the first run dialog suggest that
> it be enabled, but if the setting is ever deleted manually or corrupted
> or unable to read in any way, it should always default to disabled.
> 

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Hi,

> I will try to push for upstream to keep the default value to false. A
> compromise position might be to have the first run dialog suggest that
> it be enabled, but if the setting is ever deleted manually or corrupted
> or unable to read in any way, it should always default to disabled.
> 

I've noticed this problem again on my current octave install. Triggering
it is a little tricky, as it does not always pop up, but perhaps only
launches if there is a change on the remote server.

Do we know if there is a particular commit that upstream applied to fix
this?

Here is the info from my system
$ octave --version
GNU Octave, version 4.0.3
Copyright (C) 2016 John W. Eaton and others.
This is free software; see the source code for copying conditions.
There is ABSOLUTELY NO WARRANTY; not even for MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
...
$ grep allow_web_connection ~/.config/octave/qt-settings
$
$ head ~/.config/octave/qt-settings
[General]
connectOnStartup=true
showMessageOfTheDay=true
showTopic=true
customFileEditor=emacs +%l %f
autoIdentification=false
useProxyServer=false
proxyType=
proxyHostName=none
proxyPort=8080
$
$ apt show octave | head -n  5

WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.

Package: octave
Version: 4.0.3-3
Priority: optional
Section: math
Maintainer: Debian Octave Group 
$

In the QT UI, the "Allow Octave to connect to the Octave web site"
is unchecked, however periodically, I still receive updates from their
remote website (new versions available).

Is it an option to just patch out their network access entirely in the
debian package?

This would seem the much safer route, as accessing a random network
resource on untrusted networks (even if you do have https, which I am
unsure if it is the case), seems non-ideal, and contrary to policy.

Thanks!

Bug#876363: octave fetches network resources when network access disabled

[Mike Miller]

Control: forwarded -1 https://savannah.gnu.org/bugs/?52090

On Thu, Sep 21, 2017 at 23:03:57 +0100, D Haley wrote:
> 1) The GUI should be clear as to what setting the backend is currently
> using. I think it is a concern that there are two settings that have the
> capacity to be "out-of-sync".

I've filed upstream bug https://savannah.gnu.org/bugs/?52090 to resolve
this in Octave, so at least the settings and their behavior will agree.

Feel free to participate there, or reply here if you think I got
something wrong in capturing this problem.

> 2) From a debian user's/policy perspective, I think the GUI should
> default to not using a network connection for an application where this
> might be surprising to an end user. Either querying the user again, or
> defaulting to false would be best

I will try to push for upstream to keep the default value to false. A
compromise position might be to have the first run dialog suggest that
it be enabled, but if the setting is ever deleted manually or corrupted
or unable to read in any way, it should always default to disabled.

-- 
mike


signature.asc
Description: PGP signature

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Thanks for keeping tabs here, I've been using --force-gui for some time
now, before it was the default. May or may not be a useful tidbit.

> Is it possible the qt-settings file is created by something other than
> Octave on your system?
I've only been using the current debian packages, and nothing special,
so no, I don't think there is any other software altering this file.
I've certainly not been playing with it, and this is a single-user system.

> Do you think there is any remaining issue here, or do you consider this
> resolved by fixing the configuration file on your end?
> 
> Or is the only issue here that the settings dialog implies that the
> missing value defaults to 'false', while the actual behavior is to
> interpret a missing value as 'true'?

I don't think it is resolved  - other people could have the same issue
and not realise. I think there are two points, the first is more
important than the second:

1) The GUI should be clear as to what setting the backend is currently
using. I think it is a concern that there are two settings that have the
capacity to be "out-of-sync".

2) From a debian user's/policy perspective, I think the GUI should
default to not using a network connection for an application where this
might be surprising to an end user. Either querying the user again, or
defaulting to false would be best

Thanks!


On 21.09.2017 22:56, Mike Miller wrote:
> Is it possible the qt-settings file is created by something other than
> Octave on your system? 

Bug#876363: octave fetches network resources when network access disabled

[Mike Miller]

On Thu, Sep 21, 2017 at 19:56:30 +0100, D Haley wrote:
> It looks like the QT UI does not match what happens internally in Octave
> if the line is absent from the file.
> 
> If the line "allow_web_connection=true" is present, then the web
> connection proceeds, and the network tab in settings reflects the setting.
> 
> If the line "allow_web_connection=false" is present, then the web
> connection does not occur, and the network tab in settings reflects the
> setting.
> 
> However, if the line is entirely absent, then the connection is
> established, however *the UI does not show this*. The item in the menu
> for the network connection is unchecked.

Your analysis seems correct to me.

Is it possible the qt-settings file is created by something other than
Octave on your system? Not that this is a bad thing, but it's also not
entirely well-supported, as we've now seen.

The 'news/allow_web_connection' setting has been present and has been
checked since the GUI was first introduced in 3.8.0, so it is not likely
that this was missing due to an upgrade from a previous version. It's
more likely that the qt-settings file was modified outside of Octave or
was created or pre-seeded by some other tool.

Do you think there is any remaining issue here, or do you consider this
resolved by fixing the configuration file on your end?

Or is the only issue here that the settings dialog implies that the
missing value defaults to 'false', while the actual behavior is to
interpret a missing value as 'true'?

-- 
mike


signature.asc
Description: PGP signature

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

P.S. I assume the reason for the line not being present is that it was
not written to the file in an earlier version, and I have upgraded to a
later version which only writes the line when re-creating the file from
scratch.

On 21/09/17 18:04, Mike Miller wrote:
> On Thu, Sep 21, 2017 at 17:58:04 +0100, D Haley wrote:
>> Thanks for getting back so quickly.  That command yields no output (no
>> such line) - the file does however exist.
>>
>> $ grep allow_web_connection ~/.config/octave/qt-settings
>> $
> 
> Ok. That indicates that the setting is not actually being saved. It's
> possible that Octave is not able to save its settings at all. Can you
> check the file permissions and ownership? If you delete the file or move
> it out of the way does it work as expected?
> 

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Hi,

It looks like the QT UI does not match what happens internally in Octave
if the line is absent from the file.

If the line "allow_web_connection=true" is present, then the web
connection proceeds, and the network tab in settings reflects the setting.

If the line "allow_web_connection=false" is present, then the web
connection does not occur, and the network tab in settings reflects the
setting.

However, if the line is entirely absent, then the connection is
established, however *the UI does not show this*. The item in the menu
for the network connection is unchecked.

Here is the testing I performed:

$ pwd
/home/pcuser/.config/octave
$ ls -l qt-settings
-rw-r--r-- 1 pcuser pcuser 5507 Sep 21 13:52 qt-settings
$ mv qt-settings qt-settings.bak
$ ps augxw | grep -i [o]ctave


$ octave --force-gui




$ grep allow_web_connection ~/.config/octave/qt-settings
allow_web_connection=false
$ octave --force-gui

$ sed -i 's/allow_web_connection=false/allow_web_connection=true/'
qt-settings
$octave --force-gui

$ sed -i 's/allow_web_connection=true//' qt-settings

Bug#876363: octave fetches network resources when network access disabled

[Mike Miller]

On Thu, Sep 21, 2017 at 17:58:04 +0100, D Haley wrote:
> Thanks for getting back so quickly.  That command yields no output (no
> such line) - the file does however exist.
> 
> $ grep allow_web_connection ~/.config/octave/qt-settings
> $

Ok. That indicates that the setting is not actually being saved. It's
possible that Octave is not able to save its settings at all. Can you
check the file permissions and ownership? If you delete the file or move
it out of the way does it work as expected?

-- 
mike


signature.asc
Description: PGP signature

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Hello,

Thanks for getting back so quickly.  That command yields no output (no
such line) - the file does however exist.

$ grep allow_web_connection ~/.config/octave/qt-settings
$

On 21/09/17 17:55, Mike Miller wrote:
> On Thu, Sep 21, 2017 at 11:50:24 +0100, D Haley wrote:
>> I was a little concerned at this message, as in the settings, the option
>> "Allow Octave to connect to the Octave web site to display current news
>> and information" is unchecked.
> 
> This is troubling, thanks for reporting it.
> 
> I have looked at the code, and the only way the message you quoted can
> appear is indeed if Octave has attempted a web request, either
> automatically at startup, or when the menu item under the News menu.
> 
> Can you verify that the option is actually disabled? What does
> 
> grep allow_web_connection ~/.config/octave/qt-settings
> 
> yield?
> 

Bug#876363: octave fetches network resources when network access disabled

[Mike Miller]

On Thu, Sep 21, 2017 at 11:50:24 +0100, D Haley wrote:
> I was a little concerned at this message, as in the settings, the option
> "Allow Octave to connect to the Octave web site to display current news
> and information" is unchecked.

This is troubling, thanks for reporting it.

I have looked at the code, and the only way the message you quoted can
appear is indeed if Octave has attempted a web request, either
automatically at startup, or when the menu item under the News menu.

Can you verify that the option is actually disabled? What does

grep allow_web_connection ~/.config/octave/qt-settings

yield?

-- 
mike


signature.asc
Description: PGP signature

Bug#876363: octave fetches network resources when network access disabled

[D Haley]

Package: octave
Version: 4.0.3-3
Severity: minor

Dear Maintainer,

I was having some network troubles recently, and I was using octave. A
short time after launching the program (octave --force, I was greeted
with "Octave's community news source seems to be unavailable.  For the
latest news, please check http://octave.org/community-news.html when
you have a connection to the web (link opens in an external browser)."

I was a little concerned at this message, as in the settings, the option
"Allow Octave to connect to the Octave web site to display current news
and information" is unchecked.

So it seems that this may not be being honoured? I can't see how octave
would know that my network was down (at the router level) without
performing a URL request. I admit I have not attempted to locate the
code responsible for this, so apologies if there is a mistake on my part.


Thanks.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages octave depends on:
ii  libamd2  1:4.5.4-1
ii  libarpack2   3.4.0-1+b1
ii  libasound2   1.1.3-5
ii  libatlas3-base [liblapack.so.3]  3.10.3-1+b1
ii  libblas3 [libblas.so.3]  3.7.0-2
ii  libc62.24-11+deb9u1
ii  libcamd2 1:4.5.4-1
ii  libccolamd2  1:4.5.4-1
ii  libcholmod3  1:4.5.4-1
ii  libcolamd2   1:4.5.4-1
ii  libcxsparse3 1:4.5.4-1
ii  libfftw3-double3 3.3.5-3
ii  libfftw3-single3 3.3.5-3
ii  libfltk-gl1.31.3.4-4
ii  libfltk1.3   1.3.4-4
ii  libfontconfig1   2.11.0-6.7+b1
ii  libfreetype6 2.6.3-3.2
ii  libgcc1  1:6.3.0-18
ii  libgl1-mesa-glx [libgl1] 13.0.6-1+b2
ii  libglpk404.61-1
ii  libglu1-mesa [libglu1]   9.0.0-2.1
ii  libgomp1 6.3.0-18
ii  liblapack3 [liblapack.so.3]  3.7.0-2
ii  liboctave3v5 4.0.3-3
ii  libosmesa6   13.0.6-1+b2
ii  libportaudio219.6.0-1
ii  libqhull72015.2-2
ii  libqrupdate1 1.1.2-2
ii  libqscintilla2-12v5  2.9.3+dfsg-4
ii  libqt4-network   4:4.8.7+dfsg-11
ii  libqt4-opengl4:4.8.7+dfsg-11
ii  libqtcore4   4:4.8.7+dfsg-11
ii  libqtgui44:4.8.7+dfsg-11
ii  libsndfile1  1.0.27-3
ii  libstdc++6   6.3.0-18
ii  libumfpack5  1:4.5.4-1
ii  libx11-6 2:1.6.4-3
ii  octave-common4.0.3-3
ii  texinfo  6.3.0.dfsg.1-1+b2

Versions of packages octave recommends:
ii  default-jre-headless  2:1.8-58
ii  gnuplot-x11   5.0.5+dfsg1-6+deb9u1
ii  libatlas3-base3.10.3-1+b1
ii  octave-info   4.0.3-3
ii  pstoedit  3.70-3+b2

Versions of packages octave suggests:
pn  octave-doc  
pn  octave-htmldoc  

-- no debconf information