Bonum Certa Men Certa

Phoronix Keeps Exaggerating the Severity of X11 Bugs to Promote Wayland, Which is Unfit for Consumption

posted by Roy Schestowitz on Oct 06, 2023

Ladybug Cartoon

Reprinted with permission from Ryan Farmer.

I just got the X11 security updates for CVEs that were recently patched.

“Microsoft Larabel” over at “Moronix” (Phoronix), has been a foaming-at-the-mouth promoter of IBM Wayland ever since 2008 when the idea was announced.

Since Wayland still has at least 50 major problems when KDE 5.27.x LTS runs on it, I can’t switch from X11 right now, and that’s fine with me.

I’ve blogged before, huge blog posts, about how much I despise Wayland. It’s nothing but trouble even under GNOME, which has the most support for it.

(It causes X11 applications, including Windows programs in Wine, to have serious problems up to and including crashing, but usually just performing worse. X11 applications are still the overwhelming majority.)

Promoting something that’s both problematic and unfinished after 15 years and so badly specced out that common use cases are missing and everyone who points it out gets personal invective insults and FUD coming from a general IBM direction, is unacceptable.

Fortunately, the Xorg Server still works fine.

But, Microsoft Larabel and others went off the rail exaggerating the relevance of some recent security flaws.

Alan Coopersmith of Oracle fixed these flaws quickly, and rather well (he patched the X Server to not take corrupt input like that and do something with it anymore, and also the component that was sending the corrupt input so that it wouldn’t do that), and Debian pushed out the updated components today. I installed them immediately and rebooted my laptop.

There’s no way to secure any software that does anything non-trivial. There’s just not. Even this Rust nonsense has had a lot of emergency updates that have broken things.

If you like rewriting your software constantly because they didn’t standardize on anything, make promises, and make sure it worked before the specification was frozen, then Rust is for you. Unfortunately, this is “modern”.

X11 goes back nearly 40 years and is therefore “not modern”.

That’s a problem to these people. Actually supporting something (including the mistakes) and just fixing what’s actually impossible to live with, is “bad”.

That’s their attitude towards everything from programming languages like Rust and Python (which are horrible….people are STILL trying to move from Python 2 even though it’s been unsupported for years….it just adds negative work when they break things), to glibc (Hello DT_GNU_HASH! Let’s just drop DT_HASH with no warning even though they could live together for a while with a notice to developers!), to Wayland.

Why support something when you can just break it all the time and force everyone into this “It’s IBM’s world and you just live in it.” concept?

Rational person that I am, I hail from a time when people were just crazy and wanted their computer to work, so I installed the security updates and now I’m running the improved version of the software that can’t be attacked with those bugs anymore.

They act like Xorg only needs security updates, like all software does, because it’s old.

I wonder what the position on Web browsers, like Chrome and Firefox, where every update is an emergency and every emergency update, monthly, rolls at least 20 CVEs.

By far, the most dangerous application on your computer, is the Web browser you’re reading this in right now. Nobody wants to make that better. Everyone is making that big shitpile higher. Yet, security posers, including Matthew Garrett say that the Web browser is by far the safest way to run “untrusted code”. It’s actually not.

The safest way to run untrusted code is to not run untrusted code. For the most part, I don’t even run JavaScript if there’s any possible way to avoid doing it. Much less WebMs and WebGL, and all of this other garbage they’re dumping on us that’s full of bugs and can never, ever, be made secure.

Unfortunately, the enemies of Free Software throw around the word “trust” and use it wrongly, use it in bogus ways, corrupt the very meaning of the word, intentionally, to promote Microsoft locking down your computer to impose DRM and trap you on Windows.

Trusted code is an application I can verify the authenticity of, from my Linux distribution’s repo or another verified source, and we’ve had the ability to run this code on Linux distributions for decades now. Windows, which “Secure Boot” is designed to trap people on, doesn’t even do this. Get a file from some random site that’s loaded with spyware, and play the “anti-virus guessing game”.

Being trapped on an OS with no concept of security, that was basically designed like this and can’t be fixed without making the OS so terrible that nobody would want to use it (Windows “S Mode”), is not a solution.

Maybe if Web browsers from Google and Mozilla were just a dumb window server from 1984 instead of Google and Mozilla shitting all over the Internet and turning it into Orwell’s 1984, things would get better on the Web browser front.

If your argument is that a lot of these bugs go back to 1988 or 1998, yeah they do.

If this is your argument, then you should try Windows sometime. Tavis Ormandy alone keeps identifying CVEs that go back into the early 90s Windows NT releases and are still in Windows 10 and 11.

There’s a lot of old rotting code in Windows like this, and Microsoft frequently doesn’t act on private reports, for over a year, and then scrambles after the security researchers publicly out them, and then complain about how unfair it is to put them on the spot like that. As if they had been blindsided and not given months or a year to fix it.

Again, tell me how X11 is somehow special. Find a bug, squash a bug, apply the update.

Same as any other software.

Other Recent Techrights' Posts

Throwing Money at Lawyers Can't Stop Us (It Never Did)
Even just trying to censor things can result in the opposite of the desired outcome
BetaNews Has More or Less Died After Experiments With LLM Slop, Is Linuxsecurity Next?
It doesn't seem like BetaNews knows what it's doing, let alone what it talks about
Links 13/06/2025: Journalists Targeted by Cracking, China-Japan and Israel-Iran Tensions Grow
Links for the day
 
Links 14/06/2025: FDA Changes Priorities, Cassette Data Storage From The 1970s
Links for the day
Gemini Links 14/06/2025: Steam Next Fest and Thoughts on Gemini
Links for the day
Site/Datacentre Maintenance Next Week
speed things up
Bulgaria: GNU/Linux Near 10%
The Bulgarian market seems to be changing
I Never Spoke to BetaNews. But BetaNews Wants to Ensure I Never Will, Either.
Sometimes just the reluctance to talk about it can say a great deal
Online Search or Large Search Engines Aren't Working Anymore
business models that directly compete with interests of Web users
Holidays and Breaks
I've hardly taken any long breaks since I got married
Danish OpenDocument Freedom
"year of Linux"
When Abusive Law Firms (Working for Microsofters Against Us) Assert That Someone Writing in Social Media About Himself is Confidential Information
There was no reason to throw "GDPR" into 2 SLAPPs; they know it, but the goal was to increase the cost of a Defence and lessen the incentive to challenge the SLAPPs
Links 14/06/2025: Wars and L.A. Distortion Effect
Links for the day
Gemini Links 14/06/2025: Historic Ada Design and GeminiSpace.Club to Expire
Links for the day
Links 14/06/2025: India Plane Crash and Middle-Eastern War
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, June 13, 2025
IRC logs for Friday, June 13, 2025
Gemini Links 13/06/2025: (Not)virtues and Project Yeet Broadband
Links for the day
Links 13/06/2025: US Reduces Nonessential Staff at Baghdad Embassy Ahead of Strikes in Iran, Invasion of California Debated
Links for the day
X11 is Free Software
Whether you agree (e.g. on politics) with the person/s forking it doesn't matter
The More Time Passes, the Better Our Advice on Social Control Media Seems
At the end of the day, any platform you do not control yourself is working for someone else
Twitter (X) is Dying, Now It's Just Like a Mafia-Type Operation of the Man Who Does Nazi Salutes in Public
a form of extortion
UK High Court Blasts Brett Wilson LLP for Misusing "GDPR" After Failed Efforts to Censor Critics Using 'Libel' Claims
No wonder this firm is rapidly shrinking
Recent Blunders in Microsoft GitHub (e.g. Slop-Generated Bug Reports or GPL Violations 'as a Service') Taking Their Toll?
Put bluntly, if you still use Microsoft GitHub, then you're slave to Microsoft
American Imperialism and Microsoft Plagiarism
Techrights will therefore do what Microsoft does not want it to do: it'll write even more about Microsoft
When They Have Nothing Left to Help Advance Abusive Litigation for Microsoft People... Other Than Throwing ~500 Pages of Someone Else's Work Into a PDF
Microsoft is having a very tough year
The Price of Exposing Corruption in Poland (and Elsewhere)
It's easier to participate in corruption than to merely do the right thing and oppose it
Slopwatch and Yet More Holes in 'Secure Boot' (as Usual!), Promoted Inside Linux by the Man We Are Suing
Today's Slopwatch will be short
Gemini Links 13/06/2025: People You've Left Behind, Life Update and OS Changes
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, June 12, 2025
IRC logs for Thursday, June 12, 2025
Links 12/06/2025: Portland Homeless Deaths Quadruple, COVID Cases Surge in Asia
Links for the day
Abuse Inside the Polish Patent Office (UPRP) - Part IX: Minimum Wages For You (Experienced Scientist), Alicante/EU Paydays For Me (Unproductive, Corrupt Official)
Does UPRP maladministration extend to the false belief that qualified and experienced scientists can play the role of circus clowns?
"The Liberating Power of Simply Telling People the Truth."
'polite' bullying
Who Imitates Who? Plagiarist as Client (From Microsoft), 'Plagiarism' at the Law Firm?
let's revisit the subject
EPO's Gareth Lord Asked About "Quality and Productivity" or, Put Another Way, Why the EPO Keeps Granting So Many Invalid/Illegal Patents
letter to Lord
EPO's Central Staff Committee (CSC) Scrutinises the Man Who Illegally Grants (and Forces Others to Illegally Participate in Granting) Software Patents in Europe
EPO compels examiners to break the law in the name of obeying illegal "rules" or "orders"
The Latest Rumour Says The Next (as Correctly Predicted Before) Wave of Layoffs at Microsoft is 3 Weeks Away, "Larger Than the First Wave"
Step 2
TV Licensing Used to SPAM Your Postbox, Now It Does the Same to E-mail
First they ask for your E-mail address; then they start nagging you via E-mail
The Toxic Playbook
Either you support Prince Mohammed bin Salman or you're a nazi
It's Possible That BetaNews Got Cracked, But Nobody Talks About It, The Site Contains an Outdated Old Image, No Activity
It's possible that they will never explain what happened to the site and users' accounts
Links 12/06/2025: Beach Boys’ Brian Wilson Dies
Links for the day
Gemini Links 12/06/2025: Video Game Diegesis and Steam Next Fest
Links for the day
Why the Militants Have Lost Every Battle Since 2022 (When Attacking My Wife and I in Various Ways, Even Attacking Our Employers)
This takes patience, sure, but at the end most evildoers face the consequences for their actions
Our Priority is Still Tackling Software Patents and Corruption in Patent Offices
Meanwhile we got compliments on our recent articles, which means that they are effective
Politics Will Impact Software Choices
Will those systems respect users' freedom?
EPO: Neglecting Children to Promote American Monopolies by Shielding Them From European Competition
Yesterday the Central Staff Committee at the EPO spoke about another "reform" at the Office
Slopwatch: Another Day, Another Slopfest, LLM Slop Scrapers Slow Down Our Site
We too have some slop issues; this past day this site and the sister site had to answer about 2.5 million requests (not counting Gemini Protocol) and it's slowing things down for everybody
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 11, 2025
IRC logs for Wednesday, June 11, 2025