JUN
2
2006

How Dapper LTS Succeeded To Spoil CUPS Printing (Part One -- The Prelude)

Yesterday (K)Ubuntu Dapper was released. The final version. I'm sure it is a great release, and most users will find it highly satisfactory for all their needs.

However, this blog is not all huggin' 'n luvin' for Dapper. It is a rant. I want this to be a wake-up call. It will sound negative to most of you. So be it....

Two months ago I blogged about Dapper's printing problems which had shown up in the various beta- and pre-releases.

Seems this is not fixed in the final. Because also yesterday, I received 3 phone calls and 2 written messages from customers or other people (one found me via my "Open Business Club" profile where I had signed up 2 weeks ago... heh) whom I gave paid or unpaid support in the past. All of them told me that Dapper had printing problems; the problems appear regardless of whether you run it from the Live CD or wether it is installed onto the harddisk.

Now, I did not have a current Dapper downloaded yet. So I could not verify myself. One of my contacts (he just had a fresh install from the Live CD completed) offered me to let me ssh in remotely so that I could have a closer look at the problem. But, alas!, no ssh login was possible. The openssh-server package seems to not be installed by default. WTF?? How are community or professional support people supposed to help Dapper users if it is not possible to remotely log into the system??

Anyway, the story continues. I was able to step the guy (he is rather new to systems belonging to the ${debian} family) through the process of apt-get install-ing an SSH daemon onto his system, so I could poke a bit at it. I didn't have much time, but these 10 minutes were enough to inflict a cold fury into my brain. How careless did the Dapper printing packager(s) put their stuff into the system!

Back in January, they insisted to gamble Dapper's printing capabilities onto CUPS-1.2. CUPS-1.2 was not yet even in Beta at the time, and there had not yet even been announced any binding release schedule. So they used an arbitrary SVN checkout (it was the then current revision "r4929"). That's risky, in case CUPS 1.2 was not released in time for Dapper's maiden voyage. But that's also OK -- after all, if it works out, all users will benefit, right?

However, I regard it as irresponsible behaviour to include bleeding edge software into a distro release, and then not care about its well-behaviour. Bleeding edge shipments just for the sake of sporting a higher version in the Distrowatch comparison charts is silly.

I had expected that one of the maintainers really dives into the new CUPS code, or at least into its new feature set, makes himself familiar with it, and creates a default CUPS configuration that gives Dapper users the best CUPS experience they could hope for. I'd somehow expect that they would subscribe to the CUPS.org mailing lists, ask questions, discuss how to take advantage of CUPS' new stuff and in general keep current with developments. Is that an unreasonable expectation?

Nothing of this happened. Yes, you could say, they were short of time and overloaded with work. I can sympathize with that; it's what happens to all of us FOSS activists. However, I do not sympathize with the maintainers patching CUPS 1.2 away from its default setup as provided by CUPS.org, and then leave that work half finished and in big parts un-usable! Guys, please: if you...

  • ...have enough "Knowhow" and confidence (or should I say arrogance?) to deplete me of features that you regard as a "security risk"
  • ...and have enough time to patch the default CUPS web interface to tell me you changed its behaviour away from its default

...then I expect you to at least do a complete job. And a complete job would involve for you...

  • ...to know what actually are the new features of CUPS, and how to enable and use (and how to disable) them
  • ...to fully document your changes and provide a working HOWTO to restaure all features you've taken away from your users

I got a preliminary suggestion to make to you: If you can't deliver that, or if don't have time to follow through, just don't make your hands dirty at all! Don't then change stuff away from what CUPS ships as default setup. Leave it as is. Package that, and be done!

Someone made me aware of a recent Dot comment. I think especially one paragraph nails the issue on its head...

...and I'll quote it here:
"We all remember the rant of ESR, which he (wrongly) directed towards CUPS developers, when he was unable to configure his home printer because the RedHat printer config tool did mess up what CUPS itself would have done just fine... Is this another opportunity to flame Mike Sweet and the CUPS.org folks, just because their marvellous work gets spoiled by overshooting distro "experts" who make Linux unusably secure and safe??"

Now I'm just waiting for the Kubuntu Dapper CD download to complete. Once that's done, I can verify if my sources were right with what they said about Dapper+CUPS printing. I'll let you know about my further findings. This blog series will continue over the (long) weekend....

Comments

Seems dapper is pretty broken. They also shipped amaroK so it by default can't play music.


By Allan Sandfeld at Fri, 06/02/2006 - 14:01

What happened is that they did not include MP3 playback by default. There are instructions here: https://wiki.kubuntu.org/RestrictedFormats for getting that part up and running. Ogg plays fine by default.


By pedahzur at Fri, 06/02/2006 - 18:41

It seems at some point they did put a disclaimer in. I'm running Kubuntu Dapper, with everything up to date, and on localhost:631, there is this notice:

"Administrative commands are disabled in the web interface for security reasons. Please use the GNOME CUPS manager (System > Administration > Printing). /usr/share/doc/cupsys/README.Debian.gz describes the details and how to reenable it again."

That file will tell you this:

- Administration over the web interface is disabled by default since it
requires the CUPS daemon to be able to read /etc/shadow. If you want to
enable web administration with shadow passwords (authentication type
'basic'), put the user cupsys into group shadow by

adduser cupsys shadow

as root.

Only users who are in group 'lpadmin' can administrate printers (using
gnome-cups-manager, lpadmin or any other frontend but the web
interface). To allow printer administration to user joe, put him into
this group by executing

adduser joe lpadmin

(again as root).

And since the signers on that file are both @debian.org addresses, this would seem to be a Debian decision, not an Ubuntu one.

BTW, the version that I currently show installed on my Kubuntu system is 1.2.0-0ubuntu5, so it seems they went for the full release version. /usr/share/doc/cupsys/README reports Cups 1.2.0 - 2006-05-08, as does the web interface (the 1.2.0 part).


By pedahzur at Fri, 06/02/2006 - 18:50

> And since the signers on that file are both @debian.org addresses,
> this would seem to be a Debian decision, not an Ubuntu one.

Nope, this is not a decision taken by the Debian maintainers (and the fact that users can be lead to think so makes me and other Debian developers unhappy, but who cares).

This is easy to prove: as the cupsys 1.2.0-0ubuntu5 changelog reflects, that version of the Ubuntu package is based on Debian's 1.1.99.rc2-0exp1 version, targetted at the experimental branch of our distribution. If we diff the README.Debian files:

% wget http://snapshot.debian.net/archive/2006/04/17/debian/pool/main/c/cupsys/cupsys_1.1.99.rc2-0exp1_i386.deb
% wget http://ubuntu.inode.at/ubuntu/pool/main/c/cupsys/cupsys_1.2.0-0ubuntu5_i386.deb
% diff -u <(dpkg --fsys-tarfile cupsys_1.2.1-0exp1_i386.deb | tar xO ./usr/share/doc/cupsys/README.Debian.gz | zcat) <(dpkg --fsys-tarfile cupsys_1.2.0-0ubuntu5_i386.deb | tar xO ./usr/share/doc/cupsys/README.Debian.gz | zcat)

--- /proc/self/fd/11    2006-06-03 17:55:31.510707500 +0200
+++ /proc/self/fd/19    2006-06-03 17:55:31.526708500 +0200
@@ -239,6 +239,24 @@
    If you'd like to change this, you can modify by using
    "PidFile <filepath>" directive at your /etc/cups/cupsd.conf.

+ - Administration over the web interface is disabled by default since it
+   requires the CUPS daemon to be able to read /etc/shadow.  If you want to
+   enable web administration with shadow passwords (authentication type
+   'basic'), put the user cupsys into group shadow by
+
+       adduser cupsys shadow
+
+   as root.
+
+   Only users who are in group 'lpadmin' can administrate printers (using
+   gnome-cups-manager, lpadmin or any other frontend but the web
+   interface).  To allow printer administration to user joe, put him into
+   this group by executing
+
+       adduser joe lpadmin
+
+   (again as root).
+
 Enjoy!

  -- Jeff Licquia <[email protected]> and Kenshi Muto <[email protected]>

The explanations about how to re-enable web-based authentication are clearly Ubuntu's addition.

Nothing else,
Adeodato Simó <[email protected]>


By bugmenot at Sat, 06/03/2006 - 16:00

Thanks, Adeodato,

for clearing up that point.

I believe it is quite a strange thing for Ubuntu/Canonical/Dapper packagers to do what they've done.

It is also not very honest and open, if you ask me! Why don't they put their changes into a separate "/usr/share/doc/cupsys/README.Ubuntu.gz" file???

They could sign that with their own names, and not make it look like Jeff Liquia had committed that crime against usability and functionality!

Cheers + Thanks,
Kurt


By Kurt Pf. at Mon, 06/05/2006 - 21:35

Pedahzur,

of *course* I noticed the part you call "disclaimer"; I am mentioning the "patched CUPS web interface" for precisely that reason.

My main point about it is that the instructions contained in the "README.*" don't work! Adding user "cupsys" to the "shadow" group and adding user "ubuntu" to the "lpadmin" group still didn't let adding of printers via the web interface work.

[ I'm not even saying much about the "Please use GNOME CUPS manager...." part in *K*ubuntu (where that thing surely isn't present) -- but have you actually *tried* it? Did it work? I challenge you to try it in action and proof me wrong, not reading out a README to me which doesn't work... ]


By Kurt Pf. at Sat, 06/03/2006 - 19:52

I have Breezy (Hubuntu 5.10) and I have to use the webinterface for a specific task (no other frontend can do what I want) but I can't login. I type in my username+password but it does not work!
My user IS in the group lpadmin and cupsys IS in th egroup shadow. Whats wrong, damnit?


By Mathias Panzenböck at Thu, 06/15/2006 - 16:10

I've no Breezy available to check. Please paste the result of

  grep -v ^# /etc/cups/cupsd.conf | grep -v ^$  

to some pasting service (such as http://kubuntu.pastebin.com/ :-> ), and tell me the URL. (The command strips all comments and empty lines from the cupsd.conf file.) I'll have a look.

Which operation is it that asks for a password when you are trying to perform it? What is that specific task that no other frontend can do?


By Kurt Pf. at Fri, 06/23/2006 - 23:18

This discussion is of good help to me. I was much confused with Dapper new version. As usually in the beginning you have no clear idea of what you have and how to use it but when you learn it's enjoy))


By clyopa at Thu, 08/23/2007 - 08:55