Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: X.Org Libraries Hit By Round Of Security Issues

  1. #11
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,920

    Default

    Quote Originally Posted by duby229 View Post
    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
    Since we know the name of the patcher its not a big deal to just watch the source repo for any of his recent commits and just apply them to individual distro's X server (or your own X server source tree if you want to get the fixes immediately). Another reason I like running Arch (or Gentoo) faster security fixes, no need to backport to older versions, just load up the new x.y.z+1 release

  2. #12
    Join Date
    Jul 2009
    Posts
    286

    Default

    Quote Originally Posted by curaga View Post
    I think the news here is that X has an active security team
    Er yeah, between RHEL, SUSE, Debian, Solaris, the BSDs etc, that's fairly well covered ...

  3. #13
    Join Date
    Feb 2008
    Location
    California
    Posts
    79

    Default

    Quote Originally Posted by duby229 View Post
    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
    We tried to give the good guys a two week head start over the bad guys, by sending the advisory draft and proposed patches to the distros @ openwall list before the advisory went public. There is no perfect solution here, and a lot of the current structure relies on good faith, but it's better than doing nothing.

    And while there's a massive pile of patches here, it's not that massive of a hole - the primary risk is if you have users on your Linux/Unix box that you trust to run programs but not to have root on the box. This isn't a "anyone who can open a TCP connection to your box owns you now" sort of hole (at least not in any scenario we've thought of - unfortunately with lower-level library code, we don't know all the ways programs may be using it).

  4. #14
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,920

    Default

    Quote Originally Posted by BO$$ View Post
    Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
    I just use Arch so that I dont have to deal with reinstallations / worrying "Did I get the most recent update?" Also the AUR is a nice touch for loading basically any app I want, and keeping them updated fairly automatically. Gentoo though, I agree, thats more of an "OS as the end unto itself"

  5. #15
    Join Date
    May 2011
    Posts
    1,599

    Default

    Quote Originally Posted by BO$$ View Post
    Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
    Yes, but alternatively, consider Ubuntu: I'm running a two-year old installation and will never see these (or any other) patches.

    But it is true that you get what you pay for.

  6. #16
    Join Date
    Jan 2012
    Posts
    188

    Default

    Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

    After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.

  7. #17
    Join Date
    Nov 2011
    Posts
    300

    Default

    Running Debian Squeeze (oldstable) and they were available pretty quick.

    @varikonniemi: Consider this comment (quoted without attribution in van Sprundel's presentation), and then consider that Wayland uses XKB, as do so many new projects:
    Shoot me now. And then shoot Daniels for not freeing us from XKB yet.
    And then shoot anyone who volunteers to try to fix XKB, before it's too late for them too.

  8. #18
    Join Date
    Jul 2010
    Posts
    449

    Default

    Quote Originally Posted by varikonniemi View Post
    Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

    After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.
    To get an idea of the difficulty involved in replacing X, imagine a county deciding that petrol-powered cars are crappy and they need replacing with electric cars ASAP. Furthermore, all servicing/repairs of petrol-powered cars is to stop so that those same efforts can be applied to electric cars. There's so much infrastructure and dependence on petrol cars (X) that even if a massive amount of time and effort was suddenly thrown into Wayland it would still be a very long time before it could be a practical default. And in the meantime everybody would still need X. The Wayland FAQ even acknowledges that X isn't going anywhere anytime soon ("Is wayland replacing the X server?")

    It may be old technology, but it's technology that's used by everybody running a GUI on Linux, BSD or Solaris.

  9. #19
    Join Date
    Jan 2012
    Posts
    188

    Default

    Somewhat of a lacking analogy, since gasoline cars can not be run on electricity just by "figuring out an e->g converter". X on wayland is working pretty well in this day and age. Imagine what it could have been already, if wayland actually had a team of dedicated developers opposed to a few talents making it happen?

    It sounds like wayland needed the manpower of ubuntu. Am i entirely misinformed if i say there are less than 5 people working full-time on wayland? That is like what you find in a mediocre iOS game development team. And here we are talking about making the next-gen Linux display server. It sounds really pathetic, yet one has to admire the technology they come up with. It takes a frickin' long time, but at least it is done right.

  10. #20
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,269

    Default

    Did you just compare X devs to fart app developers :P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •