He's bitching about a vulnerable in libcue, a library for using .cue files for CD ISOs, which is used by tracker-miner. The person who published it informed Gnome and the maintainer of libcue and libcue and tracker-miner were patched before the article even came out in October. Libcue at its negative index issue fixed and tracker-miner had it's sandbox improved.

Now it's just a matter of distributions providing updates for one or both packages. From what I can tell, the exploit has only been shown to work when downloading cue files.

KDE's focus is pretty much screwed as well. New windows keep appearing behind old ones. Had to disable some 'intelligent' focus steal option to make this work. These kind of defaults are insane. KDE also gets stuck every week. Mouse works, but nothing can be clicked. I usually fix this by logging in via ssh and restart the login manager.

wake me up when gnome finally add's vrr support after six years of nothing under wayland.

It's not that simple: https://medium.com/@fulalas/gnome-me...t-4e301032670c

It's pretty impressive that you were wrong on all three of your accusations. I applaud your consistency.

It is that simple. Use something else and stop making up shit. You blog sounds like a nut case when you call a non-profit foundation a company and pretend that they control libxml development. There is enough shitty bugs in every project without making up a dumb conspiracy about it.

Watch the PR yourself or stay asleep

Wether you call a nonprofit organization a foundation or company or corporation, it's all the same thing (https://en.m.wikipedia.org/wiki/Nonprofit_corporation).

That's because they do: https://gitlab.gnome.org/GNOME/libxml2

You should read the article, really. KDE has bugs, Xfce has bugs, Linux kernel has bugs. The article is not simply about bugs, but about GNOME's amateurism and arrogance and the impacts on all Linux distros, regardless if you use GNOME desktop environment or not.

It's not even a matter of my opinion. There are countless evidences and reports from many skilled people over the years.

Good article. And the rabbit hole of xdg-desktop-portal goes even further.
It's not just an application run as root that has problems... it's fundamentally impossible to run any application with any other user and communicate with the portal.
You want to run your browser as seperate user? Can't use the portal! Even thought that it is only the document portal with actual problems (can't hook into /proc/{pid}/root). And yes, there are pull requests to fix this or at least mitigate this, ignored by the Red Hat employees like usual when someone contributes something to a GNOME project.

Running something as different user is one of the most fundamental things in any unix like system. D-bus went out of their way to make it possible via policies. Pipewire can do it. And wayland can do it. All three of them running as user session under /var/run/{uid} per default, just like the portal. Not allowing it is a regression in security.

The only supported sanboxes are flatpak and snaps. And this is hardcoded. Nothing else will work.

You should try reading your link, calling a 501(c)(3) foundation a company is utter nonsense and is against IRS rules. Your link talks about a completely different kind of corporation. GNOME or KDE projects are governed by foundations. Learn the basics of what you are talking about.

No they don't. GNOME and KDE foundations do not control development at all. Read their charters.

I did. It's choke full of factual inaccuracies. I pointed out to two clear cut examples of them. If you aren't willing to care about the details, I won't bother engaging you any further. Feel free to continue pretending that some free software project is forcing you to use them.