baggyeyes: Bugs Bunny and the Bull (barcode)
Baggyeyes ([personal profile] baggyeyes) wrote in [community profile] ebooks2011-11-18 10:32 am
  • Add Memory
  • Share This Entry

A KDE Dev finds a flaw in Calibre's mount system

A KDE developer discovered a serious security flaw in the way Calibre mounts eBook readers and tablets. The resulting bug list discussion was surprising, to say the least.

http://blog.zx2c4.com/702

I have to say, even though the mount system was removed, I can't say I have much confidence in Calibre's developer right now.
Flat | Top-Level Comments Only
jumpuphigh: Pigeon with text "jumpuphigh" (Default)

[personal profile] jumpuphigh 2011-11-18 03:44 pm (UTC)(link)
I'm not surprised at Kovid acting badly. He's almost always been a jackass whenever I've encountered him on MobileRead Forums and especially so if there was the slightest whiff of criticism of Calibre or him.
baggyeyes: Bugs Bunny and the Bull (barcode)

[personal profile] baggyeyes 2011-11-18 03:58 pm (UTC)(link)
I have to say it is his complete lack of concern regarding security that has me concerned. Now I have to look for an ebook manager to replace it. :(

One would think he would be more concerned with making an excellent product, rather than refusing to listen to genuine bug reports.
jumpuphigh: Pigeon with text "jumpuphigh" (Default)

[personal profile] jumpuphigh 2011-11-18 04:24 pm (UTC)(link)
I just finished reading more about it. I'm not surprised at his lack of concern. He has always tended towards being dismissive towards users and other devs with a solid handful of "if you don't like it, build your own" thrown into every conversation.

I'll continue to use it until there is another product out there to replace it or until someone creates a fork and makes it better. I refuse to give him money though when normally I would.
kaiz: barcode via pne (http://pne.mizinamo.org/dwbarcode) (barcode)

[personal profile] kaiz 2011-11-18 05:08 pm (UTC)(link)
I'll continue to use it until there is another product out there to replace it or until someone creates a fork and makes it better. I refuse to give him money though when normally I would.

Exactly this.
valiha: watercolor painting of my cat Lola (Default)

[personal profile] valiha 2011-11-18 08:14 pm (UTC)(link)
Oh man, yes! And everyone else always jumps in defense of calibre every time there's a criticism leveled at it. My favorite is that I don't have a right to complain since it's a free program. Since when? I especially dislike this line on the FAQ page:

The whole point of calibreā€˜s library management features is that they provide a search and sort based interface for locating books that is much more efficient than any possible directory scheme you could come up with for your collection. [emphasis added]

No "in my opinion", no "I believe", nothing. So he believes that there is no person alive who could come up with a better scheme. What does he think we all are, stupid?
jumpuphigh: Clinton Jones smirking with text "amused" across the bottom. (Amused)

[personal profile] jumpuphigh 2011-11-19 09:35 am (UTC)(link)
What does he think we all are, stupid?

Yes.

Also, I really hate how Calibre organizes its library. It is not how I would do it at all.
valiha: watercolor painting of my cat Lola (Default)

[personal profile] valiha 2011-11-19 02:19 pm (UTC)(link)
Right now I just use it to convert my fics, although I dislike how it adds css styling to each and every single paragraph. What's the point of that?
baggyeyes: Bugs Bunny and the Bull (Default)

[personal profile] baggyeyes 2011-11-19 04:35 pm (UTC)(link)
What OS do you use? I'm going to look for alternatives as well in converting text into ebooks.
valiha: watercolor painting of my cat Lola (Default)

[personal profile] valiha 2011-11-19 05:57 pm (UTC)(link)
Windows, and I'd be interested in finding a good alternative for conversion as well.
baggyeyes: Bugs Bunny and the Bull (Truth is Stranger than Fiction)

[personal profile] baggyeyes 2011-11-19 06:11 pm (UTC)(link)
Well, so far, I'm looking at Stanza Desktop, and Sigil and ECub for conversion. I haven't tried any of these yet, though. I'd prefer free as in speech and free as in zero dollars, but, my initial search hasn't been extensive yet.

These are all cross-platform, by the way.
Edited 2011-11-19 18:12 (UTC)
valiha: watercolor painting of my cat Lola (Default)

[personal profile] valiha 2011-11-19 06:24 pm (UTC)(link)
I'm familiar with Sigil and have used it extensively, but it doesn't covert several fics automatically: you can import a single html file, insert images and chapter breaks and save as epub, or you can build an epub yourself. It will recognize any mistakes in coding you make and correct them, but it's not made for bulk conversions. It's mostly for checking and correcting pre-existing epubs. It's ben a long time since I used eCub, but I think it also can do only one book at a time.

The advantage of calibre is the multiple files conversion (and stripping DRM through use of plugins). That is the one thing I can't give up on, since the time I can set aside for editing and converting my fics is extremely limited. I will check Sanza Desktop, thank you for the link, and if it can do that, I'll be very happy using it.
baggyeyes: Bugs Bunny and the Bull (Default)

[personal profile] baggyeyes 2011-11-19 07:20 pm (UTC)(link)
Well, I haven't found anything yet for myself. But I found a converter for winodws that claims it does batch processing. Hamster Free eBook Converter
baggyeyes: Bugs Bunny and the Bull (Default)

[personal profile] baggyeyes 2011-11-19 06:28 pm (UTC)(link)
Well, Stanza's nice, but it is more of a reader. Boo. Looking at Bookpedia, though it is roughly $19. US. (Mac)
jumpuphigh: Pigeon with text "jumpuphigh" (Default)

[personal profile] jumpuphigh 2011-12-18 02:18 am (UTC)(link)
I cannot tell you how many times in the past week I've opened the Calibre files on my computer looking for something and wanted to bang my head on a wall. Then, I remember your comment and take a deep breath.

Seriously? In what library system in the entire world are things organized by an author's first name?
valiha: watercolor painting of my cat Lola (Default)

[personal profile] valiha 2011-12-18 05:31 pm (UTC)(link)
I can only take calibre in small doses. I import files, do a few conversions, send to disk under my own organization, then remove the books from calibre. I simply cannot get over its features enough to be able to use it as a library management program. If most everyone agrees that this is a flaw in my own make up, so be it. But there are enough people like me that I feel confident in knowing that my way is not wrong, simply different.

So let those who seem to have an intuitive grasp on this program continue using it with joy, and we'll find some other way of handling our files.
purplecat: Hand Drawn picture of a Toy Cat (books)

[personal profile] purplecat 2011-11-18 04:10 pm (UTC)(link)
I can't say that Calibre has ever struck me as a particularly well designed/implemented product (though Sigil which I also use occasionally for ebook creation is far, far worse). I've been hoping it will gradually improve as many open source projects do, but this doesn't look hopeful.
baggyeyes: Bugs Bunny and the Bull (Default)

[personal profile] baggyeyes 2011-11-18 04:52 pm (UTC)(link)
It always had a kind of clunky interface, but I could get past that. Like you, I figured it would eventually get better.

Now, though, I'm looking at Stanza and Bookpedia for the Mac. My poor Linux box is mostly dead, so I don't have to worry about that platform. I just can't believe the Goyer berates Jason Donenfeld, then Goyer cries when the Donenfeld says he won't stick around and help. Why would he? It already sounded like a toxic work atmosphere.
purplecat: Hand Drawn picture of a Toy Cat (books)

[personal profile] purplecat 2011-11-18 04:59 pm (UTC)(link)
Some of the* recent versions of Calibre on the Mac have had a definite memory leak type problem, so it isn't just the interface. It's a shame it really seems to be the only game in town in terms of converting fanfic into epub format. I'd love to know if there are any good Mac/Sony compatible alternatives to it for that task.

*it must be said I've not tried installing any of the latest updates because of this problem, so it may have been fixed.
trialia: Ziva David (Cote de Pablo), head down, hair wind-streamed, eyes almost closed. (Default)

[personal profile] trialia 2011-11-18 04:19 pm (UTC)(link)
Ugh. I'm so glad I don't use Calibre in my Linux installation - only on Windows. Sigh.
zvi: self-portrait: short, fat, black dyke in bunny slippers (Default)

[personal profile] zvi 2011-11-19 03:50 am (UTC)(link)
Do you use another program in Linux, or do you not manage your ebooks in Linux? If you do use another program, what do you use?
scribblesinink: Dean huhs (emo spn huh)

[personal profile] scribblesinink 2011-11-18 05:03 pm (UTC)(link)
Can someone explain in Really Small Words what the problem with Calibre is and what that means for the average user?

I do get the bit about the response from Calibre's developer, which is... not what you'd expect it to be when someone reports a bug, but the rest of it could just as well have been written in Klingon for me.
purplecat: Hand Drawn picture of a Toy Cat (computing)

[personal profile] purplecat 2011-11-18 05:08 pm (UTC)(link)
I'm not an expert but my understanding was that if you install Calibre yourself on a number of Linux distributions (and possibly if it comes pre-installed on some as well - that wasn't clear, certainly a lot of the big ones have obviously bypassed the bug in the versions they ship with the OS) then, potentially, a malicious person or piece of software that managed to access your user account could run calibre and then use it to access root and thereby do no end of damage to your entire operating system set up etc. etc.

So basically it allows someone or something to bypass the safety net you have by not allowing user accounts to have root privileges.
scribblesinink: Ice bear cub waving its paw (neutral ice bear cub wave)

[personal profile] scribblesinink 2011-11-18 05:19 pm (UTC)(link)
Oh, thank you! Yes, this I can understand :)
stormcloude: peace (Default)

[personal profile] stormcloude 2011-11-18 09:14 pm (UTC)(link)
This only affects people running Linux? Mac and Windows users are unaffected?
jumpuphigh: Pigeon with text "jumpuphigh" (Default)

[personal profile] jumpuphigh 2011-11-19 09:34 am (UTC)(link)
It affects a specific build of Linux. (Is that what they are called? I'm not a Linux user.) So if you use Mac or Windows, it doesn't affect you.

(Anonymous) 2011-12-18 01:56 am (UTC)(link)
Calibre is extremely user friendly and massively flexible. It allows production of all the target types I'm likely to want, including direct input of lots of parameters that many would waste days experimenting with and still not get to work. If the problem only exists for Linux, then 'No Probs' as far as I'm concerned. Sorry the author has been unco-operative, but the problem only arose because he tried to get it to do so much.

For someone preparing fairly straightforward books, Calibre and its advice pages very carefully take you round all the hassles with graphics and the TOC, and even though it doesn't undertake to be an ideal 'first input' processor, only a handler, it's still brill for creation. OK, you might not like its handling flavour or in one case its security, but it's the best thing that's hit ebook production that I've seen.

As for eCub, this comment..

http://www.mobileread.com/forums/archive/index.php/t-47559.html

...mirrors my thoughts exactly, except I'd have expressed them more harshly. I'd never consider anything from that stable now. After my experience with the truly pathetic eCub, I was praying that something like Calibre would turn up, and amazingly it did.
jumpuphigh: Pigeon with text "jumpuphigh" (Default)

[personal profile] jumpuphigh 2011-12-18 02:16 am (UTC)(link)
*tilts head*
*squints*

Nope. Still can't figure out what this comment has to do with my answering [personal profile] stormcloude's questions. Did you mean to reply to my comment or to the post as a whole?
valiha: watercolor painting of my cat Lola (barcode generator by pne.dreamwidth.org)

[personal profile] valiha 2011-12-18 05:22 pm (UTC)(link)
There are two things I find troubling with this comment:

1. the author thinks that since this issue is limited to Linux it's not a problem as far as they are concerned, and

2. they seem to think that the problem is that users don't like it's security, but that shouldn't matter because it's the best thing for ebook production in years.

Point one, I'm far from an expert, and I've only ever used Windows, but I'm hearing about Linux as a replacement for Windows more and more and not just in academic circles where I work, but as home use systems. Paired with the fact that calibre is the most popular ebook management and conversion system, that means home users might come across this problem.

Point two, as far as I'm concerned, it doesn't matter whether a program is pure gold in its design, implementation, whatever of everything else, if it exposes my computer to security issues, I would remove it without having a second thought about possibly losing the rest of its functionality. There's nothing that's as important to me as online security, and if I have to manually convert the enormous amounts of fic I've collected over the years, then by God I'll do it.

And I have to add this:

it would be really nice of you if you would sign your post if you don't have a Dreamwidth account and you're not willing to comment with an OpenID account. I've never been shy of expressing my opinions (favorable or not) under my own username, either here or at MobileRead, and will continue to do so.

Plus, if you've familiarized yourself with calibre and its help pages, you would know that the author of the program spells its name in lowercase.
Flat | Top-Level Comments Only