On their github you can see all three changes identical to x.org&#x27;s happened on October 28th (same day as the advisory). So, they were not already fixed, but the fixes were applied immediately.

The problem with XLibre is political, not technical. When they came out they made a big deal of being the anti-woke free-speech no-vaccine-mandate alternative to woke cancel-culture Xorg, which instantly ruined their reputation before it even began.

XLibre looks nice with lots of work happening in only 5mo.

I bet you are the life of the party. Seriously though, what makes you write that so matter of factly?

That project is a pipe dream. They don&#x27;t have what it takes to continue X11 alive once X.Org pulls the plug.

no the primary cause was that the main xorg project wasn&#x27;t accepting the devs patches any more.

On the github, he points to this document:<a href="https:&#x2F;&#x2F;github.com&#x2F;X11Libre&#x2F;xserver&#x2F;blob&#x2F;master&#x2F;HISTORY.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;X11Libre&#x2F;xserver&#x2F;blob&#x2F;master&#x2F;HISTORY.md</a>Doesn&#x27;t mention &quot;woke&quot; but the style is reminiscent to me from grandiosity&#x2F;paranoia issues

That&#x27;s the fork where the primary cause was to be &quot;anti-woke&quot;, right? Honestly it seemed like it was just because that one guy was a little unbalanced, and he happened to be channeling that energy into an X server fork.

Wonder how these play out against the <a href="https:&#x2F;&#x2F;github.com&#x2F;X11Libre&#x2F;xserver" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;X11Libre&#x2F;xserver</a> base, would be interesting to hear from that end as to how these things are handled. My understanding is that they address any sec issues that arise on x.org but it would be fascinating if the issues are already mitigated since XLibre updated their xserver port with 1000s of issues that were never addressed on the x.org side of things.

Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can&#x27;t break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.What&#x27;s insane about all these discussions is that NOBODY IS HACKING X SERVERS. There&#x27;s a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland&#x27;s horrible designs.

X11 had the distinction between trusted and untrusted X11 clients basically forever. But nobody bothered to even spend the minimal amount of work to make this usable in practice^1.
 This had two reasons: 1.) It is irrelevant when you run the programs as the same user so nobody bothered (and no: Wayland does not help: <a href="https:&#x2F;&#x2F;github.com&#x2F;Aishou&#x2F;wayland-keylogger" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Aishou&#x2F;wayland-keylogger</a>) 2.) It is more fun to simply pretend it is unfixable broken and write something new (something any good engineering manager should have stopped immediately).¹. I used to use this and also fixed some bugs in some programs. The main problem when I last checked a decade ag was that some important extensions such as composite would need to be exposed to untrusted clients.

Solaris had Trusted Extensions for X11 which shipped with Trusted Solaris 8.In 2000.Solaris 10 had it built into the base OS and integrated into both the CDE and GNOME desktops they shipped. With OpenSolaris it was released as open source under the non-GNU CDDL license.In November 2006.Wayland was started in 2008.

I don&#x27;t think I&#x27;ve seen X configured to run as root in probably 15 years. If anybody still does anything like that, they&#x27;re literally asking for it.

Digging deeper there are mechanisms for long time on internal X side (see <a href="https:&#x2F;&#x2F;www.x.org&#x2F;releases&#x2F;X11R7.6&#x2F;doc&#x2F;xorg-docs&#x2F;specs&#x2F;Xserver&#x2F;XACE-Spec.html" rel="nofollow">https:&#x2F;&#x2F;www.x.org&#x2F;releases&#x2F;X11R7.6&#x2F;doc&#x2F;xorg-docs&#x2F;specs&#x2F;Xserv...</a> ) - granted never seen it practically implemented.And going to rabbit hole there are even proof of concept security implementation named Xnamespace for Xorg fork (needs polishing and much more patches but looks doable. see wip documentation: <a href="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;X11Libre&#x2F;xserver&#x2F;d2b60a3d6c753fa4dd43b4ffd84a8ec49d44912f&#x2F;doc&#x2F;Xnamespace.md" rel="nofollow">https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;X11Libre&#x2F;xserver&#x2F;d2b60a3d6...</a> )

&gt; X11&#x27;s practical absence of any security mechanisms for user sessions means you should probably not run any kind of low-trust UI programThis has nothing to do with X11 or even UI at all. You should not run any low-trust program whatsoever (outside of a container). Any program that runs as your user can change your ~&#x2F;.bashrc or any other file on your homedir.Of course this is a feature that you want, for example when you edit these files with a text editor.

Any application can literally log EVERYTHING! It&#x27;s good to see wayland getting better everyday

There are plenty of setups where the X server runs at higher privileges&#x2F;on a different host than the (partially trusted) application that might exploit the X server. This is a classic elevation of privileges vulnerability in those setups.X11&#x27;s practical absence of any security mechanisms for user sessions means you should probably not run any kind of low-trust UI program anyway, as there is no prevention of keystroke injection or screen recording, but that&#x27;s a design flaw that will never be solved. That doesn&#x27;t mean that EoP style attacks like these should be ignored or underestimated, though.

Keith Packard, another legend, was proposing X11 improvements in 2018. [0] He doesn&#x27;t seem to be paid to work in X11 or Wayland, thus being free to float ideas he likes.[0] <a href="https:&#x2F;&#x2F;keithp.com&#x2F;x-ideas&#x2F;" rel="nofollow">https:&#x2F;&#x2F;keithp.com&#x2F;x-ideas&#x2F;</a>

Some oldschool legends are still fixing bugs in xorg.Alan Coopersmith in particular. He even fixed a bug I reported. :)(I forgot in which app it was but the bug report should be somewhere still; it is not old, perhaps 2 years ago or 3 years ago. The xorg app in question behaved oddly when doing &quot;--version&quot;. I only noticed
this because I wrote a ruby script that displays which version of programs are
installed, and that one kept on making problems, whereas the others worked 
fine. After I reported it, Alan fixed this very quickly. I think it was some
missing flag in the C program or something like that; right now I can not 
remember the name of the program ... my brain tries to say xrandr but I think
it was not xrandr but a less frequently used program somewhere in the FTP 
listing ...)

&gt; Bonus points if you have any Tcl&#x2F;Tk apps running, where you can simply transmit commands for the program to run via the X server.Back in 1996 the level of X integration in Tk was awesome; I had a shell tool that could make Netscape do stuff by firing MIT magic cookies at it.In a contemporary setting, it&#x27;s pretty horrifying.

These are all &quot;no way to prevent this, say users of only language where this regularly happens&quot; type problems though.The send command in Tk is lel, but can easily be effectively closed by rebinding it to a no-op.

You do realize that your web browser is executing code feeded by remote servers (RCE). But it is important to fix the windowing system. &#x2F;s

Good that people are finding and fixing these, but basically allowing any untrusted client to talk to your X server is asking for trouble just by design. (Bonus points if you have any Tcl&#x2F;Tk apps running, where you can simply transmit commands for the program to run via the X server.)

&gt; I think the short story is that the people who develop Wayland are the people who used to develop Xorg.They certainly say that to people a lot. Oftentimes the person saying it is young enough that I wonder how much time they spent working on X.

I think the short story is that the people who develop Wayland are the people who used to develop Xorg.And they’d rather spend their energy on giving you a compelling reason to switch, rather than using it to add to the reasons for staying on a project they now consider obsolete.You may disagree with their assessment, but you can’t blame them for how they decide to prioritize.

Coverity is pretty good about finding these kinds of bugs. Is there a reason why a project as significant as Xorg isn&#x27;t taking advantage of their gratis access for that tool?

Graphics is the reason Linux got over 1% desktop market share. When you have a problematic piece of hardware, sure, it sucks. But most setups will run Steam games near native quality out of the box. I&#x27;d blame the hardware not Linux.

Xorg is indeed a lot of painful complexity. This being said, the software is not Linux specific, and for modern Linux distributions, it is more and more a legacy technology.

Nobody expects the Linux distribution!

Our chief pain is graphics... graphics and audio... audio and graphics... our two pains are audio and graphics... and wifi hardware support... Our three pains are audio, graphics, and wifi hardware support, and an almost fanatical devotion to the command line.... Our four... no... Amongst our pains... are such elements as graphics, audio.... I&#x27;ll come in again.

The main pain in linux is graphics. It&#x27;s a shame.

By my reading, it would have prevented all of them.

&gt; Fil-C doesn&#x27;t provably prevent anything.It does. I have lots of documentation to show exactly how and why.&gt; It is a hobby project by a dilettante.Wow

&gt; It is a hobby project by a dilettante.You could say the same about thousands of open source projects on which trillion dollar companies depend on. Maybe these kind souls deserve more respect, buddy.

One of the use-cases of Fil-C is to prevent security issues in old C code that&#x27;s much older than Fil-C itself.

&gt; Probably not seeing how the code for at least the 3rd was written in 1994, some 30 years before Fil-C existed.How is this possibly the most charitable reading of parents comment, and honestly, do you think that&#x27;s what they meant? You can&#x27;t read that in some other way, where maybe parent wasn&#x27;t actually asking about time traveling but something else?

Would Fil-C have prevented the first or third?

Considering how nicely Weston with SW rendering runs in Fil-C, I bet that the X server will run fine in Fil-C, too.Fil-C exhibits the lowest overhead in code that spends its time on primitive bits.Fil-C exhibits the highest overhead in code that chases pointers.I&#x27;m assuming X is the former. Weston seems to be.

Ah forgot about that. Didn&#x27;t think it&#x27;d predate x.org

It was from x.com in the late 90s, merged with PayPal, Elon took the domain with him.

How did Twitter get away with taking X.com?If it was the other way around, would an open source or whatever project have been able to take Twitter.org?

_Roughtly_ speaking, X11 is only there for old games and the steam client. It is even worse with the steam client since the main executable in still 32bits.

X.org Security Advisory: multiple security issues X.Org X server and Xwayland