On Tue, 05 Feb 2019 17:00:48 +0000 Chris Jones <[email protected]> wrote:
> p.s. Just to add some background, the issue here is not specific to > MacOS. Indirect GLX is in general being disabled by default in more > and more places, for security reasons. Plenty of discussions on the > web about it, e.g. > > <https://www.phoronix.com/scan.php?page=news_item&px=Xorg-IGLX-Potential-Bye-Bye> I found https://lwn.net/Articles/625199/ more enlightening. What a crock. I understand shipping an OS with mail turned off, to the let the administrator configure it before it's exposed to the Internet. I don't understand making X mysteriously less useful in the name of security. 10 years ago, we had to switch from ssh -X to ssh -Y for security reasons. "ssh -X" became mysteriously broken, and "ssh -Y" was the fix. So we run the same level of security using a different option, because that's the only practical solution. Lovely. Turning off things like indirect GLX by default has the same effect. Nothing is made more secure for the user who turns it on. Anyone who needs it will find out in a mysterious way: the software stops working, weirdly, with no message to enable indirect GLX. The user is forced to dig through the X configuration docs -- or show up on lists like this one -- to get back to status quo ante. For my money, none of the exploits cited in the LWN article justify inconveniencing a single user. No one runs X under the illusion that it's the very model of a modern secure system, and every noted problem is directly fixable by introducing guards to verify application-provided values. Disabling the feature without fixing the software smacks of officious bureaucracy; disabiling the feature after fixing the software smacks of incompetent officious bureaucracy. --jkl _______________________________________________ Do not post admin requests to the list. They will be ignored. X11-users mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/x11-users/archive%40mail-archive.com This email sent to [email protected]
