Yes it is my daily driver. I replaced the graphics card with a Radeon RX 7600. Although it has 2 processor sockets, I have only one processor installed. However, the real bottleneck is the memory. I have only 4GB installed. DDR2 ECC registered sdram is a bit difficult to come by (... non-ecc or non-registered don't work). Fortunately linux is not that memory hungry. It is sufficient for emails, internet browsing photo editing etc. It even works with many Steam-games. Bioshock, Talos Principle and Shadwen are quite playable (with an occasional stutter). The limit for video playback is at around 1080 @30fps, but better 720. Just don't try anything over 30Hz. Youtube works quite well up to that limit. Other streaming platforms require lower settings.

I have tried many things regarding wayland. I am currently on Artix, but I have tried with Ubuntu, Debian, Manjaro. Not always with this machine. One of my "requirements" is that it has to work more-or-less out of the box. I'm tired of fiddling with the settings after every software update. The closest I came to a working wayland desktop was on a Raspberry Pi 4 about a year ago. Even that was not without some "issues". And I think I am not alone.

Thanks.

I have. A lot. Worked in construction in my early adulthood and saw plenty of examples of safety inspectors seeing things and putting a stop to it before it went wrong. I've even seen the orders of safety inspectors being ignored "because nobody's been hurt" and then someone being killed because he refused to comply. He thought he wouldn't need guardrails or a safety harness on just the second floor, fell down head first and died on impact.

In heavily regulated fields like construction and engineering of major safety critical systems you start looking for potential safety hazards and verifying things almost as soon as you put pen to paper. Major accidents with serious injuries caused by design defects are just something that forces you to act swiftly and get a lot of media attention. Be it for a deliberate or unintentional oversight, but when doing things professionally you simply don't do the former and try to avoid the latter.

The fact that there are unscrupulous people and people make mistakes doesn't mean that serious failures is the only reason to act on any flaws in design is absurd. In any professional environment you do absolutely check and verify things already at the design stage and throughout the process from specification to delivery.

Even then you're making a moot point. The insecurity of X.org has been verified in design review and with working proof-of-concept attacks. That's the equivalent of a new car having a design flaw that was identified in design review and verified in a crash test, but then the manufacturer refuses to rectify it until it starts killing customers.

Ford's Pinto fuel tank safety hazard, which your referring to, is not an example of how things are supposed to be done, it's a lesson in how things are not supposed to be done. It cost Ford massively in terms of reputation and financials, both damage payouts and lost sales. Its an example of why this "Its not a problem until someone is killed" mindset is just bad leadership.

In software, if you can fix things you fix them. If you can't, you disable and/or replace things. With X.org the conclusion has been that just fixing things is going to be a game of vulnerability whack-a-mole as soon as serious effort gets put into it so its best to just replace it entirely. Unlike X.org, the other examples you bring up haven't been deemed to include serious flaws stemming from design and hence they've just been fixed when bugs are discovered rather than having a concerted effort into replacing them entirely.

Wrong. It has been exploited. It's been exploited plenty of times in proof-of-concept attacks over the years. Design review has concluded that there's plenty more to exploit if people can be bothered. What it hasn't been is maliciously exploited.

Here you are claiming that something that has long since been determined to be fundamentally insecure, proven so thru proof-of-concept exploits somehow isn't because nobody has bothered to do so maliciously? Then claiming that I'm being insincere? Talk about the pot calling the kettle black.

Again; The proof-of-concept attacks/exploits I keep bringing up have long since proven that X.org is a realistic attack vector. Design and code review has concluded that its not just vulnerable to those specific attacks, but fundamentally flawed and vulnerable. Hence the long standing and concerted effort to replace it. The fact that people screw up out of pure laziness or incompetence is not an argument against professionalism.

No. The initial proof-of-concept attacks were written in C++ and the JavaScript-based ones weren't created until both OS-level and hardware changes were well underway. The initial fear was to use this as part to escape sandboxes and exploit the host OSs of virtual machines to gain access to other virtual machines under the same host or access other resources in the same network.

No. You're just being a contrarian. Review of the design and codebase by people far more qualified than either of us has long since shown X.org is fundamentally flaws and this has been proven thru proof-of-concept attacks/exploits. Its also adorable that you try to claim that because I disagree with your contrarian stance it means I've never dealt with security or written a single line of code.

Yes and you've been shown proof-of-concept exploits over and over again. Only for you to keep insisting that because nobody's created or repurposed one for malicious use they don't exist and there's nothing wrong with X.org.

You're just insisting that a figurative dead horse that's been beaten to a fine paste is alive and well. Design review has years ago concluded its fundamentally flawed and proof-of-concept attacks/exploits have proven this. All you've got is that because nobody has exploited it maliciously, everything is just hunky-dory.

No. Wayland was devised because X.org was found to be fundamentally lacking, not the other way around. Once it became available for use people began to encourage its use for this exact reason. You're just putting the cart before the horse the same way conspiracy theorists do.

Not sure what exactly this is supposed to mean, but the isolation between a Wayland compositor and its clients is mostly the same as between an X server and its clients, so any claim you make about the former applies to the latter as well. Wayland has strictly better isolation between separate clients though.

Yes, there's Waypipe, which is mostly equivalent to SSH X forwarding.

(X servers haven't listened for clients connecting via TCP by default for a long time, it was already mostly superseded by SSH X forwarding and just an attack vector by then)

That works exactly the same in a Wayland session.​

Daniel is still one of the core Wayland developers.

Yours truly joined XFree86 around the millennium, and worked on XFree86/Xorg stuff until I switched to Xwayland and Wayland stuff in 2019.​

Not yet AFAIK, there's now a global shortcut portal which discord could use for this though.​

According to https://www.gamingonlinux.com/index....essionType-top , ~1/3 of Linux gamers are using a Wayland session, break even is expected in ~2-3 years if the trend continues. I suspect it might accelerate with KDE Plasma 6 and the nvidia driver working better with Wayland though.

And since this is only about gamers, I expect the numbers are more in favour of Wayland for all Linux desktop users. I expect the majority either is already using Wayland, or will soon with KDE Plasma 6.​ Most of them blissfully unaware of what Wayland/X are.

I can't see GNOME ever allowing X keyloggers to spy on Wayland clients. The proper solution for global shortcuts is the corresponding portal.​

Oh I see. I was talking about developers are attracted to new technologies. I didn't mean users were moving to Wayland. Sorry if that wasn't clear. Evidence of development activity here in Phoronix news about desktop environments, compositors and other software implementing support for Wayland:

• https://www.phoronix.com/news/Plasma...ayland-Default
• https://www.phoronix.com/news/Miracle-WM
• https://www.phoronix.com/news/Greenf...ompositor-2024
• https://www.phoronix.com/news/Niri-0...and-Compositor
• https://www.phoronix.com/news/Godot-4.3-Wayland-Support
• https://www.phoronix.com/news/Sway-1...and-Compositor
• https://www.phoronix.com/news/Google...Wayland-VA-API
• https://www.phoronix.com/news/WayVNC...c0-Wayland-VNC
• https://www.phoronix.com/news/xwayland-run

just to link a few.

Xorg server last years of changelog (https://fossies.org/linux/xorg-server/ChangeLog) shows only security fixes and a few other fixes. It is in sustaining mode.

So thats something. It's higher than I expected and growth seems to be driven pretty much exclusively by Plasma... So my earlier comment about some wayland compositor may reach parity someday despite Wayland seems like it's gonna be Plasma,,,. Thank GOD... I'd so much prefer KDE leading the way than Gnome.

Gnome's wayland session just isn't usable and Plasma 5 wayland session is still buggy as hell... Maybe you're right and Plasma 6 will finally after decades fill in all the gaps of what Wayland can't.

For at least three times in a row L_A_G you've completely glossed over the fact that Xorg had been known to be vulnerable this way for over 25 years now and no one rang a bell about that until it was high time to forcefully push people to something poorly standardized and terribly fragmented.

Your construction example does not hold water with me either. The construction industry was marred with incidents, thousands of deaths in the early days of it circa 150 years ago. Workers died left and right in droves because no one gave a damn about safety. Buildings, bridges, factories everywhere. Tons of pictures nowadays depicting construction of the past where workers are shown sitting on unfinished buildings hundreds of feet in the air with zero safety, just holding to it with their bare hands and feet.

It's only after unions, laws and insurance started to become a thing that "safety" in construction became a necessity and reality. It was enforced after the fact, it was never there in the the first place. And your recent examples of safety measures enabled before incidents occurred? I'd love to see the actual examples, not your testimony long after the fact. Memory is a weird thing and it plays tricks on us all the time. I love things which are properly documented and verified. There's too much "I've heard someone say" things in the past three decades now.

And lastly your attitude towards security is weird. I've shown example after example how security in absolute most cases is an afterthought, not something which is taken into consideration and you cleverly find ways to say it's not true. Where were you when PHP websites were hacked in tens of thousands due to SQL injection, and other bad practices. Why was PHP even designed to allow that? Yet it was designed exactly this way. Then a whole deal about global variables which was abused a lot. Global variables were disabled in PHP5 or something, I don't remember now. I have countless examples, unlike your "proof-of-concept Xorg vulnerabilities" which are still not exploited.

Why do you persistently continue to deny the reality of Xorg not being exploited due to vulnerabilities which became convenient only recently with the advent of Wayland, not for decades earlier? I want you to asnswer this question. I want you to answer the question why Mir was never adopted despite these glaring vulnerabilities and it's instead Wayland which is pushed by Redhat? Mir was released as a complete product 11 years ago and we've lived happily so far and I continue to use Xorg as of now despite doing banking on my PCs.

Why have I never been hacked? Why? By various estimates there are up to 4 million Linux users most of whom still use Xorg. Why do we not hear about successful exploitations due to Xorg left and right?

And since you have no answers as to why these Xorg vulnerabilities have never been attended to earlier, here's my answer: they are inconsequential and not vulnerabilities per se. They are specifics of the protocol. Because like you said and claimed several times, actual vulnerabilities get fixed ASAP. You contradict your own reasoning and statements. Mir has been there for 11 years and pretty much no one has adopted it despite Xorg being "hugely insecure".

Your reasoning is so elaborate and difficult to apply to the situation and I am so exhausted by you trying to bend reality such a way as to portray Xorg as being "insecure" only (!) recently, I'm done with this discussion for real. It's not argumentation, it also feels and sounds like gaslighting. You are trying to make me believe X.org is worth replacing only now and not decades earlier.

And before you say creating a new display server (tech) is expensive and difficult, RedHat has been swimming in money for at least two decades now. They had ample resources to fix this issue in the early 00s. They did not. And RedHat is not even the only company making money off open source. We've had Novel, Suse, IBM, Oracle, SCO, Solaris (they were independent) etc. etc. etc. all perfectly knowing about this Xorg vulnerability. No one ever bothered to fix it. Again, why?

For Xorg to be hacked this way malware must already be running on your system. However if it's running under your user account, Wayland's security is void and null as well. Oh, boy.

there even is a convenient module for it...
actually, there are several, depending on which whack-a-mole hole has been patched/plastered over and which not.

but why do I make the work to talk to fools, wasted time and energy, but you are so obviously wrong and just stupid all the time, people have pity and try to help, just to get burned again and again. Sigh.

reba

Nice screenshot of exploitation of the vulnerability not related to what we've been discussing here in any shape or form.

Yeah, don't waste your time please.

We've been talking about the X11 protocol allowing apps to sniff one another's output and input and you've just unearthed some crap related to the vulnerability in an ancient version of the Xorg server itself. And here I am running, xorg-x11-server-Xorg-1.20.14-30.fc39.x86_64 and the version on your screenshot was released seven years ago.

What a way to be embarrassed.

And of course you could bet your life on Mutter and KWin (using Wayland and serving as complete display servers) being bug free. Yeah, right.

Wayland/Linux fans prove in almost every thread here that they are lousy debators. You're talking about one thing - "here's an argument about something completely unrelated" because "I'm so devoted to the religion of open source, I just cannot keep silent and for the lack of argument, let's just say something that others like-minded people here will appreciate".

Complex software normally and often contains vulnerabilities. They get fixed. Here have fun (3451 vulnerabilities found) and have a nice day. Is this list related to the issue at hand? No. But I post because I can, just like you. Only I won't claim I've countered your argument because you didn't have any.

Again; The only thing that you've still got to cling onto is that nobody has exploited it maliciously, yet. Its well known to be architecturally archaic and insecure, like init, and like it, needed to be replaced sooner or later. Wayland, like systemD, was created for the explicit purpose of replacing it. There's no grand conspiracy that when they reach maturity, they'll start being pushed by responsible developers who understand why they're needed. Say whatever you like about how they're implemented, I've pissed off a fair few people for being critical of the way systemD has been and its feature creep, but they were both created for good reasons.

You don't get to just claim something as being universal, drag in the auto industry and then when it doesn't go your way declare "Well that doesn't apply". Then start goin on about staged postcard photos from a century ago when I'm talking about an incident that happened in February 2007. Anything safety critical goes trough reviews and inspections that are often acted on before serious accidents and breaches. Like anything else, this is not perfect and failures to do this due to negligence or incompetence doesn't change a thing.

Failures to follow proper procedure when designing an implementing anything safety critical always get an outsized amount of attention. Most mistakes, oversights and negligence caught before it causes any issues or accidents doesn't get much, if any attention whatsoever. Acting like failures that get a lot of media attention when they cause serious accidents or incidents are the only ones that are ever rectified is plain stupid. Its pretending like something doesn't exist unless it makes headlines.

To repeat myself once again; Unrelated failures due to negligence and incompetence isn't proof of anything. Its just whataboutism. Nothing more. A misdirection in lieu of having an actual argument to put forward. A cop-out. A non-argument.

The undeniable reality is that X.org has been found to have serious structural level security vulnerabilities ages ago, these have long since been repeatedly proven thru proof-of-concept attacks/exploits and as a result there have been multiple concerted efforts to replace X.org. You acting like if you can stick your fingers deep enough into your ears by insisting that unless there's a malicious use of these that becomes well known, it doesn't exist, doesn't make it vanish into thin air. However it is consistent with your "If it doesn't make headlines, it doesn't exist"-attitude.

No. It's reality only "reality" in the same sense that people with liberal arts backgrounds use "truth" as a synonym for "opinion" and think that because they call their opinions their "truth" more than what it is; An opinion. Something that can, and often is, wrong.

How many times do I have to remind you that X.org has been exploited numerous times over the years? Thankfully this has not been by a malicious actor as they, being either profit motivated criminals or government actors with limited budgets, have gone instead elected to go for juicier and lower hanging fruit. Like Windows, browsers thru things like JavaScript, CSS, PHP and more recently MacOS/iOS.

Or at least as far as we know. You probably will claim, but I don't claim to be clairvoyant. That would be consistent with your attitude of "If I've never read about it, then it can't exist".

Probably for the same reason why Display PostScript lost to X despite being a superior standard. Being the product of one company will, especially in the open source community, always be viewed with suspicion. Add to that sourpusses like you who think that your opinions bend reality and it wasn't going to get widely adopted. I personally didn't see anything wrong with it and used it until Ubuntu dropped Unity in favor of going back to Gnome.

The fact that you haven't been killed despite never using a seatbelt doesn't mean that seatbelts are useless. Same thing applies here. That maybe 3 million mostly tech savvy users don't compare to about 100 million far less tech savvy MacOS users or the 1.4 billion active Windows devices out there. Threat actors aren't idiots. They're not going to step over dimes to pick up pennies like that.

Aah yes. All the conclusions of the security reviews, CVE's, the successful proof-of-concept exploits and the overall consensus that X.org needs to go are "inconsequential" and "not vulnerabilities per se" because you can totally replace something like X.org without breaking massive amounts of things in a heartbeat. Oh and with something everyone agrees on immediately rather than having another standards war.

Only recently? You're the only one who's been claiming that this is only a recent discovery and not something that's been clear for 20 years. The initial release of Wayland was 15 years ago. Look it up if you don't believe me. Only now has it received the kind of support and acceptance that its finally making real headway due to contrarians like you insisting that unless something is being maliciously exploited, those vulnerabilities don't exist despite working proofs of concept. CVE's, security review conclusions and temporary bugfixes be damned.

You yourself brought up Mir and its failure to gain users. You admit it's a large undertaking with an unsure rate of success. One I have to point out has the chance of breaking a lot of things, which people absolutely hate, along with having to deal with contrarians like you insisting that structural level security vulnerabilities and exploits are completely fine and "not vulnerabilities per say" as long as they're not being used by malicious actors.

Yes, oh boy. You're clearly still living in the 90s and very early 2000s when exploits were still using single points of failure to do everything. Well here in the 2020s they're not almost always chains of exploits providing them with things like arbitrary code execution, privilege escalation and file access. All of which are things X.org exploits have a long history with. Thankfully they've all been created by non-malicious actors and one who can't be bothered with the comparatively pitiful userbase compared to MacOS and especially Windows.

You clearly seem to think you're talking from a position of authority. However in reality you don't have one. You're just some random faceless schmuck on the internet. Just like me.

L_A_G

I'm no longer interested in debating with you because just like I said earlier you ignore my arguments and talk about something completely orthogonal.

I say the X11 protocol has been "vulnerable" for over 35 years now, you're talking about "you don't understand security and vulnerabilities". I do. That's my job. My company has at the very least a dozen known vulnerabilities for our website which we don't fix because they are largely theoretical or inconsequential and have not been exploited either on our website or any other website on the net. In fact companies like Google, Microsoft and even major banks have the same known vulnerabilities unfixed.

You ignore the history of X11, you ignore zero known malware samples abusing the X11 protocol, you ignore Mir which also solved Xorg's insecurity over a decade ago but was shrugged off for unknown reasons, you ignore the fact that in order to abuse X11 you need to have a foothold on a computer which renders Wayland security void and null, you ignore security industry best practices, basically "an incognito "security" expert on Phoronix". You're not. And I will simply ignore you. I want my arguments being answered not in generic terms or "you don't understand something" but by solid facts. And you've got none. Assumptions at best. Largely empty though.

Goodbye.