Bonum Certa Men Certa

Phoronix Keeps Exaggerating the Severity of X11 Bugs to Promote Wayland, Which is Unfit for Consumption

posted by Roy Schestowitz on Oct 06, 2023

Ladybug Cartoon

Reprinted with permission from Ryan Farmer.

I just got the X11 security updates for CVEs that were recently patched.

“Microsoft Larabel” over at “Moronix” (Phoronix), has been a foaming-at-the-mouth promoter of IBM Wayland ever since 2008 when the idea was announced.

Since Wayland still has at least 50 major problems when KDE 5.27.x LTS runs on it, I can’t switch from X11 right now, and that’s fine with me.

I’ve blogged before, huge blog posts, about how much I despise Wayland. It’s nothing but trouble even under GNOME, which has the most support for it.

(It causes X11 applications, including Windows programs in Wine, to have serious problems up to and including crashing, but usually just performing worse. X11 applications are still the overwhelming majority.)

Promoting something that’s both problematic and unfinished after 15 years and so badly specced out that common use cases are missing and everyone who points it out gets personal invective insults and FUD coming from a general IBM direction, is unacceptable.

Fortunately, the Xorg Server still works fine.

But, Microsoft Larabel and others went off the rail exaggerating the relevance of some recent security flaws.

Alan Coopersmith of Oracle fixed these flaws quickly, and rather well (he patched the X Server to not take corrupt input like that and do something with it anymore, and also the component that was sending the corrupt input so that it wouldn’t do that), and Debian pushed out the updated components today. I installed them immediately and rebooted my laptop.

There’s no way to secure any software that does anything non-trivial. There’s just not. Even this Rust nonsense has had a lot of emergency updates that have broken things.

If you like rewriting your software constantly because they didn’t standardize on anything, make promises, and make sure it worked before the specification was frozen, then Rust is for you. Unfortunately, this is “modern”.

X11 goes back nearly 40 years and is therefore “not modern”.

That’s a problem to these people. Actually supporting something (including the mistakes) and just fixing what’s actually impossible to live with, is “bad”.

That’s their attitude towards everything from programming languages like Rust and Python (which are horrible….people are STILL trying to move from Python 2 even though it’s been unsupported for years….it just adds negative work when they break things), to glibc (Hello DT_GNU_HASH! Let’s just drop DT_HASH with no warning even though they could live together for a while with a notice to developers!), to Wayland.

Why support something when you can just break it all the time and force everyone into this “It’s IBM’s world and you just live in it.” concept?

Rational person that I am, I hail from a time when people were just crazy and wanted their computer to work, so I installed the security updates and now I’m running the improved version of the software that can’t be attacked with those bugs anymore.

They act like Xorg only needs security updates, like all software does, because it’s old.

I wonder what the position on Web browsers, like Chrome and Firefox, where every update is an emergency and every emergency update, monthly, rolls at least 20 CVEs.

By far, the most dangerous application on your computer, is the Web browser you’re reading this in right now. Nobody wants to make that better. Everyone is making that big shitpile higher. Yet, security posers, including Matthew Garrett say that the Web browser is by far the safest way to run “untrusted code”. It’s actually not.

The safest way to run untrusted code is to not run untrusted code. For the most part, I don’t even run JavaScript if there’s any possible way to avoid doing it. Much less WebMs and WebGL, and all of this other garbage they’re dumping on us that’s full of bugs and can never, ever, be made secure.

Unfortunately, the enemies of Free Software throw around the word “trust” and use it wrongly, use it in bogus ways, corrupt the very meaning of the word, intentionally, to promote Microsoft locking down your computer to impose DRM and trap you on Windows.

Trusted code is an application I can verify the authenticity of, from my Linux distribution’s repo or another verified source, and we’ve had the ability to run this code on Linux distributions for decades now. Windows, which “Secure Boot” is designed to trap people on, doesn’t even do this. Get a file from some random site that’s loaded with spyware, and play the “anti-virus guessing game”.

Being trapped on an OS with no concept of security, that was basically designed like this and can’t be fixed without making the OS so terrible that nobody would want to use it (Windows “S Mode”), is not a solution.

Maybe if Web browsers from Google and Mozilla were just a dumb window server from 1984 instead of Google and Mozilla shitting all over the Internet and turning it into Orwell’s 1984, things would get better on the Web browser front.

If your argument is that a lot of these bugs go back to 1988 or 1998, yeah they do.

If this is your argument, then you should try Windows sometime. Tavis Ormandy alone keeps identifying CVEs that go back into the early 90s Windows NT releases and are still in Windows 10 and 11.

There’s a lot of old rotting code in Windows like this, and Microsoft frequently doesn’t act on private reports, for over a year, and then scrambles after the security researchers publicly out them, and then complain about how unfair it is to put them on the spot like that. As if they had been blindsided and not given months or a year to fix it.

Again, tell me how X11 is somehow special. Find a bug, squash a bug, apply the update.

Same as any other software.

Other Recent Techrights' Posts

Microsoft-Connected Sites Trying to Shift Attention Away From Microsoft's Megebreach Only Days Before Important If Not Unprecedented Grilling by the US Government?
Why does the mainstream media not entertain the possibility a lot of these talking points are directed out of Redmond?
[Video] 'Late Stage Capitalism': Microsoft as an Elaborate Ponzi Scheme (Faking 'Demand' While Portraying the Fraud as an Act of Generosity and Demanding Bailouts)
Being able to express or explain the facts isn't easy because of the buzzwords
Microsoft ("a Dying Megacorporation that Does Not Create") and IBM: An Era of Dying Giants With Leadership Deficits and Corporate Bailouts (Subsidies From Taxpayers)
Microsoft seems to be resorting to lots of bribes and chasing of bailouts (i.e. money from taxpayers worldwide)
 
Windows in Lebanon: Down to 12%?
latest from statCounter
Links 18/05/2024: Caledonia Emergency Powers, "UK Prosecutor's Office Went Too Far in the Assange Case"
Links for the day
US Patent and Trademark Office Sends Out a Warning to People Who Do Not Use Microsoft's Proprietary Formats
They're punishing people who wish to use open formats
Links 18/05/2024: Fury in Microsoft Over Studio Shutdowns, More Gaming Layoffs
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 17, 2024
IRC logs for Friday, May 17, 2024
Links 18/05/2024: KOReader, Benben v0.5.0 Progress Update, and More
Links for the day
[Meme] UEFI 'Secure' Boot Boiling Frog
UEFI 'Secure' Boot: You can just ignore it. You can just turn it off. You can hack on it as a workaround. Just use Windows dammit!
The Market Wants to Delete Windows and Install GNU/Linux, UEFI 'Secure' Boot Must Go!
To be very clear, this has nothing to do with security and those who insist that it is have absolutely no credentials
In the United States Of America the Estimated Share of Google Search Grew After Microsoft's Chatbot Hype (Which Coincided With Mass Layoffs at Bing)
Microsoft's chatbot hype started in late 2022
Techrights Will Categorically Object to Any Attempts to Deny Its Right to Publish Informative, Factual Material
we'll continue to publish about 20 pages per day while challenging censorship attempts
Links 17/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, More YouTube Censorship
Links for the day
YouTube Progresses to the Next Level
YouTube is a ticking time bomb
Journalists and Human Rights Groups Back Julian Assange Ahead of Monday's Likely Very Final Decision
From the past 24 hours...
[Meme] George Washington and the Bill of Rights
Centuries have passed since the days of George Washington, but the principles are still the same
Daniel Pocock: "I've Gone to Some Lengths to Demonstrate How Corporate Bad Actors Have Used Amateur-hour Codes of Conduct to Push Volunteers Into Modern Slavery"
"As David explains, the Codes of Conduct should work the other way around to regulate the poor behavior of corporations who have been far too close to the Debian Suicide Cluster."
Video of Richard Stallman's Talk From Four Weeks Ago
2-hour video of Richard Stallman speaking less than a month ago
statCounter Says Twitter/X Share in Russia Fell From 23% to 2.3% in 3 Years
it seems like YouTube gained a lot
Journalist Who Won Awards for His Coverage of the Julian Assange Ordeals Excluded and Denied Access to Final Hearing
One can speculate about the true reason/s
Richard Stallman's Talk, Scheduled for Two Days Ago, Was Not Canceled But Really Delayed
American in Paris
3 More Weeks for Daniel Pocock's Campaign to Win a Seat in European Parliament Elections
Friday 3 weeks from now is polling day
Microsoft Should Have Been Fined and Sanctioned Over UEFI 'Lockout' (Locking GNU/Linux Out of New PCs)
Why did that not happen?
Gemini Links 16/05/2024: Microsoft Masks Layoffs With Return-to-office (RTO) Mandates, Cash Issues
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 16, 2024
IRC logs for Thursday, May 16, 2024
Ex-Red Hat CEO Paul Cormier Did Not Retire, He Just Left IBM/Red Hat a Month Ago (Ahead of Layoff Speculations)
Rather than retire he took a similar position at another company
Linux.com Made Its First 'Article' in Over and Month, It Was 10 Words in Total, and It's Not About Linux
play some 'webapp' and maybe get some digital 'certificate' for a meme like 'clown computing'
[Meme] Never Appease the Occupiers
Freedom requires truth. Free speech emancipates.
Thorny Issues, Violent Response
They say protests (or strikes) that do not disrupt anything are simply not effective. The same can be said about reporting.
GNU/Linux in Malaysia: From 0.2 Percent to 6+ Percent
That's like 30-fold increase in relative share
Liberty in Liberia? Windows Falls Below 10% and Below iOS
This is clearly a problem for Microsoft
Techrights Congratulates Raspberry Pi (With Caution and Reservations)
Raspberry Pi will "make or break" based on the decisions made in its boardroom
OSI Makes a Killing for Bill Gates and Microsoft (Plagiarism and GPL Violations Whitewashed and Openwashed)
meme and more
The FSF Ought to Protest Against UEFI 'Secure Boot' (Like It Used To)
libreplanet-discuss stuff
People Who Defend Richard Stallman's Right to Deliver Talks About His Work Are Subjected to Online Abuse and Censorship
Stallman video removed
GNU/Linux Grows in Denmark, But Much of That is ChromeOS, Which Means No Freedom
Google never designs operating systems with freedom in mind
Links 16/05/2024: Vehicles Lasting Fewer Years, Habitat Fragmentation Concerns
Links for the day
GNU/Linux Reaches 6.5% in Canada (Including ChromeOS), Based on statCounter
Not many news sites are left to cover this, let alone advocate for GNU/Linux
Links 16/05/2024: Orangutans as Political Props, VMware Calls Proprietary 'Free'
Links for the day
The Only Thing the So-called 'Hey Hi Revolution' Gave Microsoft is More Debt
Microsoft bailouts
TechTarget (and Computer Weekly et al): We Target 'Audiences' to Sell Your Products (Using Fake Articles and Surveillance)
It is a deeply rogue industry that's killing legitimate journalism by drowning out the signal (real journalism) with sponsored fodder
FUD Alert: 2024 is Not 2011 and Ebury is Not "Linux"
We've seen Microsofers (actual Microsoft employees) putting in a lot of effort to shift the heat to Linux
Links 15/05/2024: XBox Trouble, Slovakia PM Shot 5 Times
Links for the day
Windows in Times of Conflict
In pictures
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 15, 2024
IRC logs for Wednesday, May 15, 2024