[12:17] <BluesKaj> Hi all
[18:10] <Eickmeyer> RikMills: How do you want to tackle the kdesu SRU? I might be able to handle the bug description, and can definitely handle the upload for ubuntustudio-default-settings, it's up to you if you want me to do anything with kubuntu-settings and/or kdesu.
[18:54] <RikMills> Eickmeyer: I would like to handle the bug description and kdesu upload. I am pondering at the moment quite how to word it, hence me not leaping immediately to do it. I will think over the weekend and get it done on Monday
[18:55] <Eickmeyer> RikMills: Ok, that's fair.
[19:01] <RikMills> Eickmeyer: also, fyi: https://salsa.debian.org/qt-kde-team/kde/kdesu/-/merge_requests/3
[19:02] <Eickmeyer> RikMills: Oh, cool. Hopefully they'll actually merge it.
[19:02] <RikMills> if that gets accepted, it will make a Ubuntu SRU more 'palatable'
[19:03] <RikMills> as the debian dev who made the sudo config change seems onboard
[19:03] <Eickmeyer> Yeah, that's great. Also, we got approval from the security team, although it would be nice to get that in the bug report.
[19:04] <Eickmeyer> It would give the SRU more teeth.
[19:04] <RikMills> Yeah, I want to avoid the whole "kdesu works by exploiting a CVE exploit" narrative
[19:05] <RikMills> not only is that a red flag, I am not 100% convinced it is true
[19:05] <Eickmeyer> I mean, it is true, but it's also accidental.
[19:06] <Eickmeyer> I don't for an instant think anybody meant to make it that way.
[19:07] <RikMills> I think it quite possible that the breakage is a coincidental consequence, and not specificall that kdesu relies on the exploit to work
[19:07] <RikMills> i.e. the fix has other consequences
[19:08] <Eickmeyer> Yeah, that could be true too.
[19:08] <RikMills> anyway, I want to try to avoid that that being expressed in the SRU
[19:08] <RikMills> hence me thinking hard how to word it
[19:11] <arraybolt3> RikMills: Just throwing this out there, you could say that kdesu is relying on behavior that is sometimes considered unexpected in order to function properly, and that the change in sudo is causing that unexpected behavior to fail, thus resulting in a loss of functionality. (I dunno how SRUs work, this is just a random idea.) Whether kdesu *is* exploiting a CVE on accident, or the CVE fix simply messes something else up, either way the behavior
[19:11] <arraybolt3>  is considered unexpected when the CVE fix is in place, thus why it needs removed.
[19:13] <Eickmeyer> RikMills: Sure, no objection to that.
[19:13] <arraybolt3> (Really, though, I wish someone would just figure out how lxqt-sudo is handling the situation and then change kdesu to match. If I knew C++, I
[19:13] <RikMills> considerign I have not yet found another distro with KDE that sets that sudoers config option, I am fairly sure we are on not too shaky ground 
[19:13] <arraybolt3> I'd take a swing at it, but...)
[19:14] <RikMills> arraybolt3: I wish my C++ was up to it also ;)