On Tue, 05 Feb 2019 23:50:59 +0000 Chris Jones <[email protected]> wrote:
> > I don't understand making X mysteriously less useful in the name of > > security. > > You are clearly then not thinking like a system admin, for which > security does come higher up the list than utility. More to the > point, in a production environment you should never disregard clear > security issues in the name of just making things a bit more > convenient for users. You're right, I'm not thinking like a sysadmin. I'm thinking like an ordinary user, someone who uses X and doesn't want to have chase down problems with it introduced by people who think they know better. How many people running X11 on Apple have sysadmin support? As a percentage rounded to a whole number: 0. In an environment where there is a sysadmin who's already investigated the issue, *he* can turn off interactive GLX by default, and enable it selectively. That's for him, not x.org, to decide. > The point you appear to be missing is the majority of users do not > need indirect glx That minority is assuredly more than the number who have technical support competent to fix the problem. How many X users are running on an insecure network? What material threat do they face? For example, I run X only over ssh on a LAN. AFAIK the X server on my Macintosh does not listen on port 6000. An attacker would have to come through my firewall, log into the machine running my X client, and then mumble something to exploit faults in the indirect GLX implementation (which I'd like to think have been fixed by now, anyway). Do I understand that correctly? If that happened, I can tell you the least of my worries would be my X server. If I thought it was going to happen, I'd do something technically secure instead, maybe quit programming and open a fruit stand. > The issue is well documented and not hard to find. I beg to differ. The reported error was: > > I receive two errors: > > > > `libGL error: No matching fbConfigs or visuals found` > > `libGL error: failed to load driver: swrast` Neither of which, by the way, appeared in the X environment. If the message had been, "Indirect GLX request made. This X server was configured without support for that feature. Use [whatever] to enable it, and see [URL] for a description of the security implications", then -- assuming "[whatever]" actually worked -- we wouldn't be having this conversation. As it is, though, after researching this "well documented" problem the user had to ask here for the obscure solution you kindly provided. The people who decided to change the default did nothing to alert the user or provide guidance to unbreak their breakage. Thanks very much. Quite the brew of arrogance and paternalism, well intentioned or not. --jkl _______________________________________________ Do not post admin requests to the list. They will be ignored. X11-users mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/x11-users/archive%40mail-archive.com This email sent to [email protected]
