Announcement

Collapse
No announcement yet.

X.Org Libraries Hit By Round Of Security Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

    After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.

    Comment


    • #17
      Running Debian Squeeze (oldstable) and they were available pretty quick.

      @varikonniemi: Consider this comment (quoted without attribution in van Sprundel's presentation), and then consider that Wayland uses XKB, as do so many new projects:
      Shoot me now. And then shoot Daniels for not freeing us from XKB yet.
      And then shoot anyone who volunteers to try to fix XKB, before it's too late for them too.

      Comment


      • #18
        Originally posted by varikonniemi View Post
        Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

        After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.
        To get an idea of the difficulty involved in replacing X, imagine a county deciding that petrol-powered cars are crappy and they need replacing with electric cars ASAP. Furthermore, all servicing/repairs of petrol-powered cars is to stop so that those same efforts can be applied to electric cars. There's so much infrastructure and dependence on petrol cars (X) that even if a massive amount of time and effort was suddenly thrown into Wayland it would still be a very long time before it could be a practical default. And in the meantime everybody would still need X. The Wayland FAQ even acknowledges that X isn't going anywhere anytime soon ("Is wayland replacing the X server?")

        It may be old technology, but it's technology that's used by everybody running a GUI on Linux, BSD or Solaris.

        Comment


        • #19
          Somewhat of a lacking analogy, since gasoline cars can not be run on electricity just by "figuring out an e->g converter". X on wayland is working pretty well in this day and age. Imagine what it could have been already, if wayland actually had a team of dedicated developers opposed to a few talents making it happen?

          It sounds like wayland needed the manpower of ubuntu. Am i entirely misinformed if i say there are less than 5 people working full-time on wayland? That is like what you find in a mediocre iOS game development team. And here we are talking about making the next-gen Linux display server. It sounds really pathetic, yet one has to admire the technology they come up with. It takes a frickin' long time, but at least it is done right.

          Comment


          • #20
            Did you just compare X devs to fart app developers :P

            Comment


            • #21
              Originally posted by varikonniemi View Post
              Somewhat of a lacking analogy, since gasoline cars can not be run on electricity just by "figuring out an e->g converter". X on wayland is working pretty well in this day and age. Imagine what it could have been already, if wayland actually had a team of dedicated developers opposed to a few talents making it happen?
              You weren't talking about running X on Wayland, you mentioned killing X with fire in one sentence and replacing it in the next. The trouble with putting more people on Wayland is that X development/maintenance would suffer; imagine being told (of a bug in X): "We're not fixing that, you need to leave X and run Wayland instead".

              Comment


              • #22
                Originally posted by varikonniemi View Post
                X on wayland is working pretty well in this day and age.
                And using the exact same set of X libraries that we just fixed all these bugs in. You can't be rid of the X client libraries without being rid of every existing program using them. And for every X program in your distro's package repository there's dozens more you don't see, including a ton of custom apps behind closed doors, doing things like running major subway systems off Motif-based control GUIs.

                Comment


                • #23
                  Most of these issues stem from the client libraries trusting the server to send correct protocol data
                  That sounds like a terrible idea. I don't think anyone should trust that what the X server sends is good at this point...

                  The X.Org security team would like to take this opportunity to remind X client authors that current best practices suggest separating code that requires privileges from the GUI, to reduce the attack surface of issues like this.
                  Indeed. I really hope something can be done about making more widespread use of polkit, as opposed to visual sudos. Starting with YaST.

                  Comment


                  • #24
                    Originally posted by BO$$ View Post
                    People have stuff to do with the computer. They don't want to know about security issues. That is not the reason they bought it.
                    Fixed that for you. Now go back to Windows, you deserve to have your machine compromised by exploits nobody knows about and even if they are known maybe Microsoft will fix them next Patch-Tuesday. Well, maybe not, but how should you know?

                    Comment


                    • #25
                      Originally posted by BO$$ View Post
                      Hahaha! You don't get it do you? Why would I fix those bugs? The moment linux security turns out to be shit is the moment I'll go back to Windows. Me and a lot of people. Nobody will contribute. Just silently switch! And then you will probably understand why Windows is where it is and linux is just a toy on the desktop.
                      So in other words you plan to switch from a platfrom with privelege elevation security problems to one with remote-code-execution security problems, one where their own software update system was exploited to send viruses? Brilliant move there.

                      Comment

                      Working...
                      X