Announcement

Collapse
No announcement yet.

X.Org Hit By New Security Vulnerabilities - Two Date Back To 1988 With X11R2

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TemplarGR
    replied
    Originally posted by stormcrow View Post

    Wayland's fragmented compositors and frameworks will end up with their own security vulnerabilities in practice. That's inevitable.
    This is certainly true. All software is prone to bugs and security issues anyway. BUT, there is also a positive side to the fragmented compositor landscape. Not every compositor/framework is going to have the same vulnerabilities, so there is less incentive for hackers to attack Wayland. Wayland is already obscure enough, imagine if you split Wayland into 3+ major compositors, each with different vulnerabilities, it will make each compositor a much smaller target for hackers to target, and removes the incentive to do so. Hackers typically want to "fish" for the largest population possible, they do not care to attack obscure targets with few available computers.

    On the other hand, there is only one Xorg, so every desktop/server that uses Xorg, has the same vulnerabilities, making it a more suitable target than Wayland.

    Leave a comment:


  • Draget
    replied
    #hottake time from me: You know which protocol and its implementations suck? Yeah, both!

    I wanted to get rid of X since years. I have many gripes with it (e.g. multimonitor) and wanted to switch to Wayland multiple times in the last 5 years. I am a regular KDE use and KWin Wayland support was < plasma 5.26 just crap. I even switched to Gnome for a while since Mutter is slightly better, but I am a KDE boy and after 5.27 Wayland was luckily not a catastrophe anymore.

    But when dealing with KWin and Wayland (tho not all is KWins fault, looking at you portals!), I keep hitting super annoying roadblocks. Yes, it is global hotkeys in Mumble that hinders me when podcasting and had me build workarounds. Yes, it is screensharing, in Slack and Teams that I regularly have to juggle around in versions from portage/flatpak to get screensharing going until it stops working again.

    I do not want to use Slack or Teams and I know I should blame them (I do my having written them more than once about the issues), but I believe it is not solely their fault. They are using electron (OSS browser engine) and the portals and switcher were only figured out this year among the distros. It theoretically works.
    The portal concept is cool, but needs a lot more testing across DEs and more people need to push the closed source tools to test with Wayland and file bug reports. And distros should stay in contact to properly support Wayland features in some common concept and quickly.

    I switched back to X about a month ago, waiting for KDE 6.0, as I have waited for 'the next KDE release, where it will be better for sure' for the past 5 years…

    Leave a comment:


  • stormcrow
    replied
    Originally posted by oleid View Post

    Never heard that distribution name before.
    Wayland is default on Debian, Debian is used by my employer on all developer desktops. All developers use Wayland since Debian 12. I'd say it is production ready 🤷‍♂️
    Depends on what your production environment is using and producing. For me, the Wayland version in Debian 12 crashes every 10-15 seconds and lacks some necessary features when it stays up long enough. X.org, rock solid. No, I don't care about the security vulnerability. It was fixed. People move on. Wayland's fragmented compositors and frameworks will end up with their own security vulnerabilities in practice. That's inevitable. Some may even have been in the code since the beginnings of their projects. They get fixed and everyone moves on. The entire stack is pretty much rotten to begin with from hardware to firmware to kernel to user space. You can't swing a memory allocation without compromising something somewhere because someone failed to follow logical paths to conclusion (there's a reason programming logic is a required course in CS degrees and formal methods should be if they aren't), failed to sanitize something (Turing bites them on the butt yet again), or one change in one area revives or exposes a bug somewhere else. And don't even get me started on us users. The vast majority of compromises happen before anyone gets to the computer system itself. It's the authorized users that screw up most often leading to compromise.

    Wayland works for you, great. You do you. Doesn't work for everyone. No, I'm not going to go into what I'm using or doing. You don't need to know. The only relevant point is that just because it works for some people in whatever production environment they have, doesn't mean it's ready for everyone. "Production" simply means an environment suitable to repeatedly and reliably produce a work product. Different environments have different requirements and different tolerance for failure modes. Sometimes that's internal policy. Sometimes it's regulatory policy. Sometimes it's just practicality.
    Last edited by stormcrow; 04 October 2023, 01:27 AM.

    Leave a comment:


  • rogerx
    replied
    Shrugs. I strongly dislike Wayland... just does not work as good as X/Xorg and Wayland does not help get my work done.

    For those dependent upon a mouse or joystick, probably will not notice any difference. I notice the difference with increased annoyances almost immediately .

    Leave a comment:


  • oleid
    replied
    Originally posted by andyprough View Post

    Wayland devs just told the XeroLinux lead dev that wayland is not recommended for production systems yet and that distros should not be making it default.
    Never heard that distribution name before.
    Wayland is default on Debian, Debian is used by my employer on all developer desktops. All developers use Wayland since Debian 12. I'd say it is production ready 🤷‍♂️

    Leave a comment:


  • TemplarGR
    replied
    Originally posted by andyprough View Post

    Why would you think I don't understand what a production system is? Don't be silly. I've been using GNU/Linux for 25+ years personally and for companies.
    Easy, because of your previous comments... The distros that are using Wayland by default today, or are pushing for it right now, are NOT for production systems. Wayland is ready right now for non-production systems, which is why major distros are using it by default. So your first comment on this thread makes absolutely no sense. You complain about something that no one ever said, that Wayland is production-ready.... You acted like Wayland people saying it recently was some kind of revelation.

    Leave a comment:


  • andyprough
    replied
    Originally posted by higgslagrangian View Post
    You can't be serious.

    Get a f* grip.

    I don't care where you are quoting this from. You can't be so f* naive.
    Naive about what? Someone in a position to have that conversation with wayland devs said on a publicly aired broadcast that the wayland devs explicitly said "not ready for production systems", "should not be the default for any distros". If it bothers you so much go talk to some wayland devs yourself. If they're saying it to one person they are probably saying it to lots of people.

    Leave a comment:


  • andyprough
    replied
    Originally posted by TemplarGR View Post
    Your issue is that you are not understanding the definition of "production systems".... A production system is not your PC/laptop at home, even if you use it for work.... Yes, Wayland is still not ready for production systems, this is not news. Major distros are not used in production systems, no one uses Ubuntu, Fedora, Arch, on a production system.
    Why would you think I don't understand what a production system is? Don't be silly. I've been using GNU/Linux for 25+ years personally and for companies.

    Leave a comment:


  • TemplarGR
    replied
    Originally posted by andyprough View Post

    I wasn't looking for anything - I've been watching that podcast for a couple years and I just noticed he said that the other day so I linked to it. I have no idea what other distro contributors say about wayland. I actually assumed that the wayland devs DID want distros to use it by default, so I was proven wrong.
    Your issue is that you are not understanding the definition of "production systems".... A production system is not your PC/laptop at home, even if you use it for work.... Yes, Wayland is still not ready for production systems, this is not news. Major distros are not used in production systems, no one uses Ubuntu, Fedora, Arch, on a production system.

    Leave a comment:


  • ssokolow
    replied
    Originally posted by WereCatf View Post
    Geesh, the toxicity in the comments here is starting to reach Slashdot-levels. Shame on you, people.
    *sigh* That's just Tuesday. Welcome to Phoronix Forums.

    Leave a comment:

Working...
X