Bonum Certa Men Certa

Phoronix Keeps Exaggerating the Severity of X11 Bugs to Promote Wayland, Which is Unfit for Consumption

posted by Roy Schestowitz on Oct 06, 2023

Ladybug Cartoon

Reprinted with permission from Ryan Farmer.

I just got the X11 security updates for CVEs that were recently patched.

“Microsoft Larabel” over at “Moronix” (Phoronix), has been a foaming-at-the-mouth promoter of IBM Wayland ever since 2008 when the idea was announced.

Since Wayland still has at least 50 major problems when KDE 5.27.x LTS runs on it, I can’t switch from X11 right now, and that’s fine with me.

I’ve blogged before, huge blog posts, about how much I despise Wayland. It’s nothing but trouble even under GNOME, which has the most support for it.

(It causes X11 applications, including Windows programs in Wine, to have serious problems up to and including crashing, but usually just performing worse. X11 applications are still the overwhelming majority.)

Promoting something that’s both problematic and unfinished after 15 years and so badly specced out that common use cases are missing and everyone who points it out gets personal invective insults and FUD coming from a general IBM direction, is unacceptable.

Fortunately, the Xorg Server still works fine.

But, Microsoft Larabel and others went off the rail exaggerating the relevance of some recent security flaws.

Alan Coopersmith of Oracle fixed these flaws quickly, and rather well (he patched the X Server to not take corrupt input like that and do something with it anymore, and also the component that was sending the corrupt input so that it wouldn’t do that), and Debian pushed out the updated components today. I installed them immediately and rebooted my laptop.

There’s no way to secure any software that does anything non-trivial. There’s just not. Even this Rust nonsense has had a lot of emergency updates that have broken things.

If you like rewriting your software constantly because they didn’t standardize on anything, make promises, and make sure it worked before the specification was frozen, then Rust is for you. Unfortunately, this is “modern”.

X11 goes back nearly 40 years and is therefore “not modern”.

That’s a problem to these people. Actually supporting something (including the mistakes) and just fixing what’s actually impossible to live with, is “bad”.

That’s their attitude towards everything from programming languages like Rust and Python (which are horrible….people are STILL trying to move from Python 2 even though it’s been unsupported for years….it just adds negative work when they break things), to glibc (Hello DT_GNU_HASH! Let’s just drop DT_HASH with no warning even though they could live together for a while with a notice to developers!), to Wayland.

Why support something when you can just break it all the time and force everyone into this “It’s IBM’s world and you just live in it.” concept?

Rational person that I am, I hail from a time when people were just crazy and wanted their computer to work, so I installed the security updates and now I’m running the improved version of the software that can’t be attacked with those bugs anymore.

They act like Xorg only needs security updates, like all software does, because it’s old.

I wonder what the position on Web browsers, like Chrome and Firefox, where every update is an emergency and every emergency update, monthly, rolls at least 20 CVEs.

By far, the most dangerous application on your computer, is the Web browser you’re reading this in right now. Nobody wants to make that better. Everyone is making that big shitpile higher. Yet, security posers, including Matthew Garrett say that the Web browser is by far the safest way to run “untrusted code”. It’s actually not.

The safest way to run untrusted code is to not run untrusted code. For the most part, I don’t even run JavaScript if there’s any possible way to avoid doing it. Much less WebMs and WebGL, and all of this other garbage they’re dumping on us that’s full of bugs and can never, ever, be made secure.

Unfortunately, the enemies of Free Software throw around the word “trust” and use it wrongly, use it in bogus ways, corrupt the very meaning of the word, intentionally, to promote Microsoft locking down your computer to impose DRM and trap you on Windows.

Trusted code is an application I can verify the authenticity of, from my Linux distribution’s repo or another verified source, and we’ve had the ability to run this code on Linux distributions for decades now. Windows, which “Secure Boot” is designed to trap people on, doesn’t even do this. Get a file from some random site that’s loaded with spyware, and play the “anti-virus guessing game”.

Being trapped on an OS with no concept of security, that was basically designed like this and can’t be fixed without making the OS so terrible that nobody would want to use it (Windows “S Mode”), is not a solution.

Maybe if Web browsers from Google and Mozilla were just a dumb window server from 1984 instead of Google and Mozilla shitting all over the Internet and turning it into Orwell’s 1984, things would get better on the Web browser front.

If your argument is that a lot of these bugs go back to 1988 or 1998, yeah they do.

If this is your argument, then you should try Windows sometime. Tavis Ormandy alone keeps identifying CVEs that go back into the early 90s Windows NT releases and are still in Windows 10 and 11.

There’s a lot of old rotting code in Windows like this, and Microsoft frequently doesn’t act on private reports, for over a year, and then scrambles after the security researchers publicly out them, and then complain about how unfair it is to put them on the spot like that. As if they had been blindsided and not given months or a year to fix it.

Again, tell me how X11 is somehow special. Find a bug, squash a bug, apply the update.

Same as any other software.

Other Recent Techrights' Posts

It's Hard to Trust People Who Worked - Not Only Those Who Still Work - at Microsoft
Bryan Lunduke is just what people would call an "arsehole of a person"
Links 06/07/2025: Climate Change and "The Right to Criticise"
Links for the day
The Mainstream Media Took 4 Days to Realise Microsoft Shut Down Its Operations in Pakistan and Fired Everybody
We estimate that Microsoft has had about 29,000 layoffs since January
“Twibel” Actions Against Comedians (and Why It's a Truly Low Blow)
they try to make up in quantities for a lack of merit or quality
 
Two Risks to Companies: The Microsoft Culture and the Microsoft Tools
Novell was killed by a form of "social engineering" by Microsoft
For the Second Time, Bryan Lunduke From Microsoft is Siccing Racist Trolls and Vandals at Me
You're only reinforcing the point we made yesterday
Links 06/07/2025: End to End Encryption at Risk, Reuters Twitter ("X") Account Withheld in India
Links for the day
Gemini Links 06/07/2025: Tinylog and Certification Rotation
Links for the day
PCLinuxOS Sites Coming Back, Gradually
let's just be patient
Social Control Media, Even If Based on Free Software, Still Has Many Problems
a distraction from what actually mattered and still matters
IBM is Not Your Master
IBM makes friends with people who exclude the majority of the population: women
Help Fund the Free Software Foundation (FSF)
If you have some dollars to spare, go support the FSF
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, July 05, 2025
IRC logs for Saturday, July 05, 2025
A Short History of Attacks on Techrights (and Boycott Novell Before That)
good opportunity to tell again the story of several (not all) attempts to silence us
Leadership in Free Software
Don't let IBM lead. It's a terrible flag bearer.
Linux Foundation Apparently Flirting With Slop (Marketing by LLM-Generated SPAM)
The Web is in a really bad state!
COVID-19 Sped Up Site Improvements in Techrights
A few months later we created our very own IRC network
Gemini Links 05/07/2025: Negative Questions and 'Touching Grass' (Going Outside)
Links for the day
Links 05/07/2025: Dalai Lama Succession as 90th Birthday Approaches, 40 deg C in China
Links for the day
Links 05/07/2025: Hungary and US Defecting to Russia, "Google's Hotseat Hypocrisy"
Links for the day
Gemini Links 05/07/2025: 4th of July 2025 and "Zig Roadmap 2026"
Links for the day
How to Combat the Exploitation and Abuse by Microsoft GitHub
Not to mention corruption and crimes against women
Bryan Lunduke is Actually Sending His Audience to Attack People
"[Lunduke] is actually sending his audience to attack people."
Even The Right Wing is Rejecting Bryan Lunduke
no wonder he became so irrelevant and marginal
Microsoft's MSN Helps Microsoft Spread Lies About the Layoffs' Scale (Well Over 25,000 People Laid Off This Year)
There seem to be monopolies on lies and on truth
The Death of X Has Been Greatly Exaggerated (by Compromised Media)
X.Org Server is alive and well
Rewriting Things in Rust
How far would you go?
In 2025 Everything is "AI". Remember Blockchains?
Talk about what companies and things (services, products, software) actually do, not the labels they use
Julian Assange Has Been Free for a Year
Julian Assange and I disagreed on some things
Monopolies and Scalping
Monopolies gravitate towards price hikes
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 04, 2025
IRC logs for Friday, July 04, 2025
Microsoft's August Layoffs Wave: "August is Confirmed for Additional Performance Based Cuts"
"August is confirmed for additional performance based cuts from the recent connects along with additional organizational cuts."
What Microsoft Reputation Laundering (With a Weaponised Law Degree) Looks Like in a Foreign Continent
You would expect this in uncivilised and primitive countries
Slopwatch: LLMs 'Write' Fake or Distorted 'News' About "Linux"
LLM slop disguised as news
Links 04/07/2025: Google Replaces the Web With Slop, "AI Might Kill Us All"
Links for the day
Gemini Links 04/07/2025: Mindfulness and F1
Links for the day
Weeks After Microsoft Bankruptcy in Russia the Company Shuts Down in Pakistan, Too
Last month Windows' share in Pakistan fell to an all-time low
Rob Musial's June 2025 Additions of Malware in Proprietary Software
Via the GNU Web site this week
Links 04/07/2025: Microsoft's H-1B Visa Applications Show Another Crisis Unfolding, Many More Deep Cuts and Shutdowns Revealed, Complete Microsoft Exits
Links for the day
Gemini Links 04/07/2025: A Day To Remember and "Stop Killing Games"
Links for the day
Crime and Corruption at Microsoft GitHub Cannot be Covered Up by SLAPPs in Another Continent
We'll write about this for a long time to come
Slop Videos Are Disappointing Garbage, Nothing New, Just Brute Force up on Display or a Pedestal of Slop
Slop videos aren't a new thing
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 03, 2025
IRC logs for Thursday, July 03, 2025
The War on Local Storage (People Hosting Their Files Locally and Privately)
There's nothing wrong with controlling one's computing
What Digital Independence Means
Independence in the digital realms means abandoning platforms like GitHub, not just rejecting proprietary software
NVidia is a Bubble
they temporarily see fortunes and wrongly assume perpetuity thereof
Fedora Does Not Care About Diversity and Inclusion, It's About Optics (Corporate Image)
any notion of inclusion is superficial and misleading
Don't Buy the Excuses for Microsoft's Mass Layoffs
Back in the 90s, Microsoft bought a lot of companies to get and stay ahead