Announcement

**You-** · 29 March 2023, 12:20 PM

Originally posted by Weasel View Post

Remember, each CVE fixed is one step closer to perfection!

You're assuming new bugs are not introduced simply by existing.

For instance there was a DOS type bug in xorg that had to be fixed a decade ago which was due to extra large textures. such sized textured could not even exist when the protocol was designed.

As computers progress often older assumptions are no longer true. We have had this with CPU memory, speeds, multithreading, GPUs and probably many other areas where sane decisions at the time of implementations became bugs and security weaknesses years or even decades later.

**ClosedSource** · 29 March 2023, 12:31 PM

Originally posted by Sethox View Post

Can you clarify?

Sure.

It fails to clarify that community crates *are* community crates. A crate can go out of style or not be developed anymore. The community decides to start promoting another crate that provides the same functionality. While this is nice, the Rust governing body or maintainers are placing no effort to make sure people understand this is all third party software. This leads to two situations.
- Newcomers think crate X is the official Rust way of doing things when in reality, it is what the community of developers feels is best in accordance to their expertise.
- You are literally lost on what to use if you are not in the loop on what's best at the moment.
You can't ship version x.yz and maintain it because while the language itself is stable, it contains a lot that is best placed in frameworks. This is essentially weak governance. It's like putting QTCore and GLib into C++ and C or webapis and nodejs apis (not node itself) into javascript.

You can argue that this not a necessarily bad thing for developers. But I still am not fond of it. it's a personal subjective opinion.

**juxuanu** · 29 March 2023, 12:47 PM

Originally posted by kylew77 View Post

I for one am glad Xorg exists because you can do client server stuff like x11 forwarding! Makes clients like OpenBSD more usable where there is no Linux emulator or wine and your only choice for accelerated virtualization is VMM. Wayland has no equivalent last time I checked to x11 forwarding.

Forwarding can be achieved with waypipe.

**andyprough** · 29 March 2023, 01:17 PM

So? Don't run Xorg as root. You also shouldn't run your web browser as root. Where are all the CVE's for that?

**kylew77** · 29 March 2023, 02:15 PM

Originally posted by juxuanu View Post

Forwarding can be achieved with waypipe.

Did not know this was part of the wayland specification. I stand corrected. Thank you!

**skeevy420** · 29 March 2023, 02:47 PM

Originally posted by ClosedSource View Post

Sure.

It fails to clarify that community crates *are* community crates. A crate can go out of style or not be developed anymore. The community decides to start promoting another crate that provides the same functionality. While this is nice, the Rust governing body or maintainers are placing no effort to make sure people understand this is all third party software. This leads to two situations.
- Newcomers think crate X is the official Rust way of doing things when in reality, it is what the community of developers feels is best in accordance to their expertise.
- You are literally lost on what to use if you are not in the loop on what's best at the moment.
You can't ship version x.yz and maintain it because while the language itself is stable, it contains a lot that is best placed in frameworks. This is essentially weak governance. It's like putting QTCore and GLib into C++ and C or webapis and nodejs apis (not node itself) into javascript.

You can argue that this not a necessarily bad thing for developers. But I still am not fond of it. it's a personal subjective opinion.

So enough about Python, what about Rust?

**uxmkt** · 29 March 2023, 03:54 PM

security researchers saying it's even worse than it looks and security researchers frequently finding multiple vulnerabilities at a time in the large and aging code-base that these days rarely sees new feature work

They always say that, so they can keep their jobs. In 40-50 years time, when Wayland is about to get replaced by something else, those sharks will be all over Wayland and how bad it has turned out.

**oiaohm** · 29 March 2023, 04:13 PM

Originally posted by kylew77 View Post

Did not know this was part of the wayland specification. I stand corrected. Thank you!

waypipe is not part of the specification.

M. Stoeckl / Waypipe · GitLab

https://gitlab.freedesktop.org/mstoeckl/waypipe

Network transparency with Wayland: https://mstoeckl.com/notes/gsoc/blog.html

The "Technical Limitations" is a good read. Wayland protocol turns out not to be horrible to forward over network.

Fortunately, the Wayland wire protocol is partially self-describing, so Waypipe can parse the messages it needs (those related to resources shared with file descriptors) while ignoring the rest.

Yes waypipe only processes a subset of Wayland protocol but then for majority just send over network as is because of the way the Wayland protocol is. It turns out Wayland protocol is not design to horrible. Interesting right Wayland protocol has features in it that make proxy between application and compositor way more practical. Waypipe just happens to be a proxy that goes over network.

Remember with X11 NX and other things have been used to get more complex X11 client over network. The over network protocol in X11 standard is not good with complex applications.

**Quackdoc** · 29 March 2023, 04:45 PM

Originally posted by juxuanu View Post

Forwarding can be achieved with waypipe.

waypipe is... fine? its not particularly good, but its not bad either, something are super buggy with it, (like games) but something are fine, I use it for testing touch apps by using waypipe to forward an application to my tablet for control, its super slow though, no matter the compression over wifi (I do have a decent wifi) it's hard to get waypipe to a point where it's usable outside of testing.

I think waypipe could be great for VMs, however unless AF_VSOCK gets added, you need to use socat to bind waypipe's socket and the vsock, and preformance of that at least is not great. that being said, waypipe makes testing touch applications not terrible at least

**oiaohm** · 29 March 2023, 06:05 PM

Originally posted by Quackdoc View Post

waypipe is... fine? its not particularly good, but its not bad either, something are super buggy with it, (like games) but something are fine, I use it for testing touch apps by using waypipe to forward an application to my tablet for control, its super slow though, no matter the compression over wifi (I do have a decent wifi) it's hard to get waypipe to a point where it's usable outside of testing.

I think waypipe could be great for VMs, however unless AF_VSOCK gets added, you need to use socat to bind waypipe's socket and the vsock, and preformance of that at least is not great. that being said, waypipe makes testing touch applications not terrible at least

Not being particularly good is something common with X11 forwarding as well. Bandwidth issues is another common problem with X11 network forwarding.

Waypipe from what I have found is about equal with X11 forwarding.

Yes for a proof of concept and not highly optimized waypipe does very well.

Announcement

Trend Micro Uncovers Yet Another X.Org Server Vulnerability: CVE-2023-1393

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment