On Wed, Apr 05, 2006 at 11:00:16AM +0200, Moritz Muehlenhoff wrote: > x11 isn't setuid at all. -sdl has a strong debconf warning, that setuid > root is a risk (I guess it's used for DGA?) and the user can select it. > Only svgalib is setuid root, but a system running svgalib apps in the year > 2006 is lost security-wise anyway. We should rather get rid of it completely > for Etch.
I think it is the opposite. -sdl is not installed setuid root, whereas -x11 ask the user if he want to install setuid to use DGA extension. But the default answer is yes. -svga is always installed setuid root. The Debian security FAQ says that non-free is not supported, and I understand why. But it also says that if it is fixable, an update can be made. There were (a few) non-free security updates in the past. I see that Bruno is alive :) If he reviews my patch for Sarge and if the security buildds have CPU time available, is it possible to release an update? I can write a part of the DSA if you want. Regards, Pierre Riteau -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]