Phoronix Keeps Exaggerating the Severity of X11 Bugs to Promote Wayland, Which is Unfit for Consumption
Reprinted with permission from Ryan Farmer.
I just got the X11 security updates for CVEs that were recently patched.
“Microsoft Larabel” over at “Moronix” (Phoronix), has been a foaming-at-the-mouth promoter of IBM Wayland ever since 2008 when the idea was announced.
Since Wayland still has at least 50 major problems when KDE 5.27.x LTS runs on it, I can’t switch from X11 right now, and that’s fine with me.
I’ve blogged before, huge blog posts, about how much I despise Wayland. It’s nothing but trouble even under GNOME, which has the most support for it.
(It causes X11 applications, including Windows programs in Wine, to have serious problems up to and including crashing, but usually just performing worse. X11 applications are still the overwhelming majority.)
Promoting something that’s both problematic and unfinished after 15 years and so badly specced out that common use cases are missing and everyone who points it out gets personal invective insults and FUD coming from a general IBM direction, is unacceptable.
Fortunately, the Xorg Server still works fine.
But, Microsoft Larabel and others went off the rail exaggerating the relevance of some recent security flaws.
Alan Coopersmith of Oracle fixed these flaws quickly, and rather well (he patched the X Server to not take corrupt input like that and do something with it anymore, and also the component that was sending the corrupt input so that it wouldn’t do that), and Debian pushed out the updated components today. I installed them immediately and rebooted my laptop.
There’s no way to secure any software that does anything non-trivial. There’s just not. Even this Rust nonsense has had a lot of emergency updates that have broken things.
If you like rewriting your software constantly because they didn’t standardize on anything, make promises, and make sure it worked before the specification was frozen, then Rust is for you. Unfortunately, this is “modern”.
X11 goes back nearly 40 years and is therefore “not modern”.
That’s a problem to these people. Actually supporting something (including the mistakes) and just fixing what’s actually impossible to live with, is “bad”.
That’s their attitude towards everything from programming languages like Rust and Python (which are horrible….people are STILL trying to move from Python 2 even though it’s been unsupported for years….it just adds negative work when they break things), to glibc (Hello DT_GNU_HASH! Let’s just drop DT_HASH with no warning even though they could live together for a while with a notice to developers!), to Wayland.
Why support something when you can just break it all the time and force everyone into this “It’s IBM’s world and you just live in it.” concept?
Rational person that I am, I hail from a time when people were just crazy and wanted their computer to work, so I installed the security updates and now I’m running the improved version of the software that can’t be attacked with those bugs anymore.
They act like Xorg only needs security updates, like all software does, because it’s old.
I wonder what the position on Web browsers, like Chrome and Firefox, where every update is an emergency and every emergency update, monthly, rolls at least 20 CVEs.
By far, the most dangerous application on your computer, is the Web browser you’re reading this in right now. Nobody wants to make that better. Everyone is making that big shitpile higher. Yet, security posers, including Matthew Garrett say that the Web browser is by far the safest way to run “untrusted code”. It’s actually not.
The safest way to run untrusted code is to not run untrusted code. For the most part, I don’t even run JavaScript if there’s any possible way to avoid doing it. Much less WebMs and WebGL, and all of this other garbage they’re dumping on us that’s full of bugs and can never, ever, be made secure.
Unfortunately, the enemies of Free Software throw around the word “trust” and use it wrongly, use it in bogus ways, corrupt the very meaning of the word, intentionally, to promote Microsoft locking down your computer to impose DRM and trap you on Windows.
Trusted code is an application I can verify the authenticity of, from my Linux distribution’s repo or another verified source, and we’ve had the ability to run this code on Linux distributions for decades now. Windows, which “Secure Boot” is designed to trap people on, doesn’t even do this. Get a file from some random site that’s loaded with spyware, and play the “anti-virus guessing game”.
Being trapped on an OS with no concept of security, that was basically designed like this and can’t be fixed without making the OS so terrible that nobody would want to use it (Windows “S Mode”), is not a solution.
Maybe if Web browsers from Google and Mozilla were just a dumb window server from 1984 instead of Google and Mozilla shitting all over the Internet and turning it into Orwell’s 1984, things would get better on the Web browser front.
If your argument is that a lot of these bugs go back to 1988 or 1998, yeah they do.
If this is your argument, then you should try Windows sometime. Tavis Ormandy alone keeps identifying CVEs that go back into the early 90s Windows NT releases and are still in Windows 10 and 11.
There’s a lot of old rotting code in Windows like this, and Microsoft frequently doesn’t act on private reports, for over a year, and then scrambles after the security researchers publicly out them, and then complain about how unfair it is to put them on the spot like that. As if they had been blindsided and not given months or a year to fix it.
Again, tell me how X11 is somehow special. Find a bug, squash a bug, apply the update.
Same as any other software. █