Announcement

Collapse
No announcement yet.

X.Org Libraries Hit By Round Of Security Issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by duby229 View Post
    And like I said in other threads at least these vulnerabilities are being announced at all. If this was proprietary software they would have been patched in the current code, ignored in older code and never mentioned to anyone.

    The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
    Since we know the name of the patcher its not a big deal to just watch the source repo for any of his recent commits and just apply them to individual distro's X server (or your own X server source tree if you want to get the fixes immediately). Another reason I like running Arch (or Gentoo) faster security fixes, no need to backport to older versions, just load up the new x.y.z+1 release
    All opinions are my own not those of my employer if you know who they are.

    Comment


    • #12
      Originally posted by curaga View Post
      I think the news here is that X has an active security team
      Er yeah, between RHEL, SUSE, Debian, Solaris, the BSDs etc, that's fairly well covered ...

      Comment


      • #13
        Originally posted by duby229 View Post
        The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
        We tried to give the good guys a two week head start over the bad guys, by sending the advisory draft and proposed patches to the distros @ openwall list before the advisory went public. There is no perfect solution here, and a lot of the current structure relies on good faith, but it's better than doing nothing.

        And while there's a massive pile of patches here, it's not that massive of a hole - the primary risk is if you have users on your Linux/Unix box that you trust to run programs but not to have root on the box. This isn't a "anyone who can open a TCP connection to your box owns you now" sort of hole (at least not in any scenario we've thought of - unfortunately with lower-level library code, we don't know all the ways programs may be using it).

        Comment


        • #14
          Originally posted by BO$$ View Post
          Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
          I just use Arch so that I dont have to deal with reinstallations / worrying "Did I get the most recent update?" Also the AUR is a nice touch for loading basically any app I want, and keeping them updated fairly automatically. Gentoo though, I agree, thats more of an "OS as the end unto itself"
          All opinions are my own not those of my employer if you know who they are.

          Comment


          • #15
            Originally posted by BO$$ View Post
            Arch? Gentoo? Hard sell to people who don't see the OS as an end in itself.
            Yes, but alternatively, consider Ubuntu: I'm running a two-year old installation and will never see these (or any other) patches.

            But it is true that you get what you pay for.

            Comment


            • #16
              Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

              After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.

              Comment


              • #17
                Running Debian Squeeze (oldstable) and they were available pretty quick.

                @varikonniemi: Consider this comment (quoted without attribution in van Sprundel's presentation), and then consider that Wayland uses XKB, as do so many new projects:
                Shoot me now. And then shoot Daniels for not freeing us from XKB yet.
                And then shoot anyone who volunteers to try to fix XKB, before it's too late for them too.

                Comment


                • #18
                  Originally posted by varikonniemi View Post
                  Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?

                  After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.
                  To get an idea of the difficulty involved in replacing X, imagine a county deciding that petrol-powered cars are crappy and they need replacing with electric cars ASAP. Furthermore, all servicing/repairs of petrol-powered cars is to stop so that those same efforts can be applied to electric cars. There's so much infrastructure and dependence on petrol cars (X) that even if a massive amount of time and effort was suddenly thrown into Wayland it would still be a very long time before it could be a practical default. And in the meantime everybody would still need X. The Wayland FAQ even acknowledges that X isn't going anywhere anytime soon ("Is wayland replacing the X server?")

                  It may be old technology, but it's technology that's used by everybody running a GUI on Linux, BSD or Solaris.

                  Comment


                  • #19
                    Somewhat of a lacking analogy, since gasoline cars can not be run on electricity just by "figuring out an e->g converter". X on wayland is working pretty well in this day and age. Imagine what it could have been already, if wayland actually had a team of dedicated developers opposed to a few talents making it happen?

                    It sounds like wayland needed the manpower of ubuntu. Am i entirely misinformed if i say there are less than 5 people working full-time on wayland? That is like what you find in a mediocre iOS game development team. And here we are talking about making the next-gen Linux display server. It sounds really pathetic, yet one has to admire the technology they come up with. It takes a frickin' long time, but at least it is done right.

                    Comment


                    • #20
                      Did you just compare X devs to fart app developers :P

                      Comment

                      Working...
                      X