Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

Wha?!?!!!

It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

Re:Wha?!?!!!

Because Xorg is beautifully programmed and easy to understand so any programmer can quickly contribute to it's code.

Re:Wha?!?!!!

[phantomfive]

It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

Re:Wha?!?!!!

To be blunt, the vulnerabilities were only disclosed so the finders could collect the bounty.

Re:Wha?!?!!!

[ArcadeMan]

To be blunt, it took over 26 years to find even with the source code and all the programmers on the planet who could to look at it.

If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

Re:Wha?!?!!!

[OzPeter]

To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

I disagree with this type of statement that paints all closed source code as bug ridden by default.

If the code is closed source then the amount/type of bugs in it is unknowable by the public.

Re:Wha?!?!!!

Well, yes. They just did. Those weren't security issues in 87, just design decisions.

Re:Wha?!?!!!

[ruir]

LOL. Windows not reusing code? I guess you believe in santa claus and the fairy tooth too.

Re:Wha?!?!!!

[king+neckbeard]

They apparently use code that's two decades old, as this bug was only recently fixed

Re:Wha?!?!!!

"Windows 95 is long gone from modern Windows version. Or at least I would hope so."
Sorry, you are completely and utterly wrong and clearly don't have a clue what you are talking about.

Re:Wha?!?!!!

I'll bet there's a lot of NT4 code in Windows 8.1 and 2012 R2.

Re:Wha?!?!!!

OSX could potentially suffer from anything Unix/BSD does since that's the linage it comes from. not OS8/9, a bug could in theory be from 1970....

Windows most certainly reuses code. Notice how often when a patch was release the same patch would go for multiple operating systems, even back in the 2000 era. Look at some of the latest IE bugs the same bug would be in IE6 to IE11. I'm on 8.1 and I just searched my Syswo64 folder and found a dll from 2000 some sql management thing, not part of the OS, but still a DLL used in Microsoft environment on a MS product.

Re:Wha?!?!!!

To be blunt, it took over 26 years to find even with the source code and all the programmers on the planet who could to look at it.

If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

Windows NT 4.0 was contemporary with Windows 95, and there are definitely Windows NT bits still present in Windows. Windows 95 isn't around because it was the development branch that died.

BSD was contemporary with Mac OS classic, and there are definitely BSD bits still present in OS X. Mac OS classic isn't around because it was the development branch that died.

Developers are pragmatic. Source code stays around for a long time if it works, open- and closed-source. As a side-effect, so do the bugs. The parent post is correct--finding this bug was easier because it was open source, if it were closed source, the bug would have been much more difficult to find, or would not have been found at all.

Re:Wha?!?!!!

>If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old.
Have you ever worked for a company that makes proprietary software?

Re:Wha?!?!!!

To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

The bugs could potentially be found no matter if the software was open or closed-source. There is no evidence that proves your statement, unless of course you happen to work for Xi Graphics (authors of the closed-source X windows server, a.k.a. Accelerated-X, which is what the free XFree86 was supposed to supercede) and have a story to share there.

The point the OP was trying to make was that Linus's Law, specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes. The Wikipedia reference I cite goes into a bit more depth as to why this socially-propagated belief in the open-source world is unfounded and has been repeatedly proven false. The short of it: just because the source code is available and viewable does not mean that a person viewing it has the capability, familiarity, or time to invest in reverse-engineering it and finding flaws. Anecdotally, in my experience most open-source users can't understand the code of the applications they use: they're simply generic end-users. Open vs. closed has no real bearing when you consider that data point (i.e. having the source available to read/view != having the capability to understand said source).

Please note my statement doesn't mean closed-source has a defined/distinct advantage over open-source. They both have their pros and cons. But this age-old belief that open-source is superior solely because "the code is out there" needs to stop. Ironically, that subsection of ESR's the Cathedral and the Bazaar may in fact be one of the most damaging things to the open-source movement ever written simply because of it's head-in-the-sand viewpoint; other subsections (e.g. "The Importance of Having Users") are much more justified.

But hey, that's just my two cents as someone who's been in all of this since the early 90s, and I'm just one person. With one set of eyes. ;-)

Re:Wha?!?!!!

Interesting thought if it wasn't for the fact that more often than not are found in closed source applications and exploited, how can this be without seeing the source?
 
CAPTCHA: reject

Re:Wha?!?!!!

[petermgreen]

I wouldn't be so sure about that.

On the mac while "classic" mode is gone "carbon" is still there and was explicitly intended to allow porting of code from classic macos. I'd be surprised if there wasn't some code that had been written for classic macos still in there somewhere.

Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

Re:Wha?!?!!!

[Rei]

All million lines of it ;)

Seriously, I'd really love to go in myself and fix the bug that's currently preventing me from using GLX, but I wouldn't even know where to begin. I think Xorg is seriously understaffed in terms of volunteers compared to the scale of the project - it looks like most bug reports don't get responses for months or years, if ever.

Re:Wha?!?!!!

Not many OSS projects are easy to contribute to. Download the source code of some open source project and run cloc against it. How many lines of code does it report?

Re:Wha?!?!!!

[phantomfive]

If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

There are 300billion lines of COBOL still in production. And every time you transfer money through banks, your money passes through it. OSX has code from the 90s in it, and Windows has code from the 80s.

Pretty near every bad software practice that you find in open source software is also found in closed source software.

Re:Wha?!?!!!

[phantomfive]

From your own link, "there weren't any eyeballs."

Re:Wha?!?!!!

[Qzukk]

How dare you question his credentials! He's worked for no less than TEN startups, and he's never seen code that's more than three months old before it gets sold off and the company shuts down. That's 10 samples, statistically significant compared to whatever silly anecdote you've got from working at some hidebound behemoth like SAP or IBM for a decade! These posers don't even count!

Re:Wha?!?!!!

[phantomfive]

I disagree with this type of statement that paints all closed source code as bug ridden by default.

To be fair, most of it is. You even have guys at Google saying that bugs are no big deal.

Re:Wha?!?!!!

[phantomfive]

Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

Like the basic types, where a WORD is 16 bits and a DWORD is 32 bits, which is sprinkled everywhere throughout the entire OS.

Re:Wha?!?!!!

No bloody joke. When the Raspberry Pi debuted, I figured I'd write a display driver for it, since the framebuffer garbage was horrible, as per usual. The documents were shit. The code was a rediculous mess. Just figuring out WHAT had to be done was a monumental feat. I gave up, and up to this point, so has everyone else

Re:Wha?!?!!!

[Matrix9180]

OS X is an evolution of NEXTSTEP, which was started in the late 80s. They saw that OS 9 was a dead end and Apple needed something "new" and "modern", so they went with NEXT (and for a good while there was this set of compatibility APIs called carbon, PROBABLY had a lot of mac classic code). You can still see a lot of similarities between Xcode today and what they were using on NEXT in the early 90s.
new code, old code, it makes no difference. It ALL has flaws.

Re:Wha?!?!!!

[bluefoxlucid]

You don't get it. We've forked it 5 times; it's just old, bad code. We need to rewrite a completely new X system like Wayland or Mir so that all these old bugs are permanently gone.

Re:Wha?!?!!!

[egranlund]

OS X is an evolution of NEXTSTEP, which was started in the late 80s. They saw that OS 9 was a dead end and Apple needed something "new" and "modern", so they went with NEXT (and for a good while there was this set of compatibility APIs called carbon, PROBABLY had a lot of mac classic code). You can still see a lot of similarities between Xcode today and what they were using on NEXT in the early 90s.
new code, old code, it makes no difference. It ALL has flaws.

Heck even the images from the "Grab" program in the recent versions of OSX have the original Grab icon from NeXTSTEP

Re:Wha?!?!!!

[Rei]

Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.

Re:Wha?!?!!!

You'd probably not be wrong if you said that there is still a fair bit of code (in absolute numbers, not relative) written for DOS in modern Windows.

Re:Wha?!?!!!

[Uecker]

I am not sure why you think rewriting in a different way is the solution. One could also refactor and fix bugs (which is being done).

For example the implementation of the core X protocol has been described as good by the guy who found these bugs (because
bugs have already been fixed in the past). New code will not automatically be better: E.g. compare his comments about Qt and KDE.

From looking at it superficially, Wayland seems to be a pretty good code quality though. I am just not too much a fan of breaking
compatibility with the on-the-wire protocol of X.

Re:Wha?!?!!!

[0123456]

No, because the X11 programmers said 'who wants to be fixing bugs in crusty old code when we could be working on the New Shiny Wayland instead?'

Re:Wha?!?!!!

Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.

And this is just a PRESENTATION LAYER?!?

OMFG!!!

Re:Wha?!?!!!

It's not ridiculous. The bugs were found. How long would it have taken for the bugs to surface in closed code?

Point: You, and the closed source fanboys are all making the same mistake, shallow is a relative term. And open source or not is not relevant for whether there are bugs or not in code, but for large the probability is that they are indeed found, publicized and fixed.

Results: In this case, P=1 for open source. Closed source? Who knows.

Re:Wha?!?!!!

So, having been both an open source and proprietary software developer, we'll use the "formula":

Proprietary has, on average, just as many bugs as OSS.
Open Source has, by it's nature, many more testers and developers reviewing any given feature.
Proprietary often has a fiduciary obligation to deny vulnerabilities exist, and then ninja-fix them with the next release (we all know MS doesn't, but most vendors are good about this).

It is no wonder why intelligent people will only use open source software.

Re:Wha?!?!!!

[macs4all]

I wouldn't be so sure about that.

On the mac while "classic" mode is gone "carbon" is still there and was explicitly intended to allow porting of code from classic macos. I'd be surprised if there wasn't some code that had been written for classic macos still in there somewhere.

Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

While technically still there, the Carbon API has been officially Deprecated since 2012, and as of OS X 10.8 (Mountain Lion), is clearly on its way out.

It's a shame, because it was a brilliant piece of work (but also not without its problems); but the writing was clearly on the wall when it wasn't ported to 64-bit in 2007.

Re:Wha?!?!!!

[macs4all]

new code, old code, it makes no difference. It ALL has flaws.

open code, closed code, it makes no difference. It ALL has flaws.

Just as true.

Re:Wha?!?!!!

[macs4all]

Heck even the images from the "Grab" program in the recent versions of OSX have the original Grab icon from NeXTSTEP [osxdaily.com]

But now, it's just nostalgia. Like Clarus the DogCow.

Re:Wha?!?!!!

[dabadab]

Windows 95 is long gone from modern Windows version.

Actually that's not true, as demonstrated by the MS14-064 (it's a bug that affects Win8 and also Win95).

As a sidenote, Win95 is not an ancestor of Windows8. Win8 is a member of the WinNT family, its lineage going back to the first version of Windows NT, which was curiously called Windows NT 3.1 (released in 1993).
The other line of Windowses (the one going from Windows 1.0 to Windows ME) ran in parallel and the two families sometimes shared some code but that's all, Win8 does not come from Win95.

Re:Wha?!?!!!

Ran into a story once about a guy, newly hired by Microsoft, finding a flaw in Excel.

He rigorously dissected and documented the flaw, as it was in a old section of the code.

After presenting it to a meeting involving bill Gates and other top brass, he discovered that the very code had been written by Gates himself...

Re:Wha?!?!!!

[ArcadeMan]

An 8-bit value is called a byte and we do need words to describe 16-bit and 32-bit values, regardless of the maximum allowed by the CPU.

Re:Wha?!?!!!

[Kjella]

Your estimate was probably just a bit old, if I recall it was something like 800k when x.org took over from xfree86, they shaved off hundreds of thousands of lines of old cruft. And when they finally ran out of cruft that could be removed, they started writing Wayland. It's probably the only OSS project that's shrunk over the last 10 years,

Re:Wha?!?!!!

[phantomfive]

An 8-bit value is called a byte and we do need words to describe 16-bit and 32-bit values, regardless of the maximum allowed by the CPU.

Call a 16-byte value a half-word. The only reason it's called a WORD on Windows is because of legacy backwards-compatibility issues.

Sorry man, your utopia where everyone uses new code is a fantasy. There is trillions of dollars of code already out there, and no one wants to spend trillions of dollars to rewrite it all.

Furthermore, I don't even understand why you would want it all to be rewritten. If it's bad code, certainly; but if the code works, then rewriting it will add new bugs.

Re:Wha?!?!!!

[Kjella]

Ooh, found it in this video from 15:03, allegedly it was 1.1 million but there's no repository dating that far back to check however:

xserver1.0.2: 879403 LOC
xserver now (july 2013): 562678 LOC

Re:Wha?!?!!!

The point the OP was trying to make was that Linus's Law, specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes.

Frankly with enough eyes and enough knowledge all bugs in proprietary software are shallow too, sure you're dealing with binaries instead of source code so the amount of eyes is going to be significantly larger but since neither the number of eyes for proprietary or open source software is really achievable in reality it doesn't matter anyway.

Re:Wha?!?!!!

It's not ridiculous. The bugs were found. How long would it have taken for the bugs to surface in closed code?

Maybe more time maybe less time, in general it depends on the popularity of the program and the resources behind it.

In this case, P=1 for open source. Closed source? Who knows.

Indeed, so it's time to stop trying to promote open source under this misguided premise when you don't even know what you're comparing against.

Re:Wha?!?!!!

[ArcadeMan]

Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.

Someone screwed up when we went with 32-bit CPUs and people kept saying that a word is the maximum value for a CPU. We're using 64-bit CPUs now, so that means a half word would be 32-bit and a 16-bit value would be a quarter word. You can't try to change the meaning of a word with every CPU upgrade otherwise that's when you need to rewrite trillions of dollars of code.

Update upwards, not backwards.
Byte is 8-bit
Word is 16-bit
Double word is 32-bit
Quad word is 64-bit
Octo word will be 128-bit
Etc.

Re:Wha?!?!!!

[ArcadeMan]

P.S.: I think the use of the word "WORD" makes things confusing in the first place.

Re:Wha?!?!!!

[theshowmecanuck]

I agree, And to simplify this, testing doesn't prove or disprove the existence of bugs. If a bug is obtuse enough (like most security holes), there is a good chance it won't get tested even in day to day use. Most code over a few hundred lines gets sufficiently complex that it starts to take a real effort to do a code review. Couple that with the fact that one needs experience and/or training to read code and recognize security flaws; and most programs are thousands to tens of thousand of line long, or more. I think you will likely find that there are not very many people (or in this case none) who have the time nor inclination to review code for security flaws, regardless of whether the source code is available.

So for sure this ultimately makes open and closed source no better than the other in this regard. In fact I can make the argument that closed source might get more reviews since people are being actively paid to look at the code day in and day out. While in open source, people often won't look at code if it isn't the new shiny thing everyone is buzzing about. I'm not saying closed source vendors are willing to spend the time and money to reengineer the code to fix found security bugs, which might take considerable time and effort (unless they are really, really bad). Mainly because doing so impacts schedules and ultimately money. It's just that in closed source, people might actually know about it sooner than in open source. But in the end, if a security flaw isn't fixed in 25 years, what's the difference which paradigm it falls under? (That's rhetorical.)

Re:Wha?!?!!!

[metamatic]

Actually, OS X contains code and bugs that date back to the 1970s.

Re:Wha?!?!!!

[Dr_Barnowl]

It's a holdover from the VERY old days of computing.

http://en.wikipedia.org/wiki/W...

Re:Wha?!?!!!

[phantomfive]

Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.

I think you're drunk or something, you keep on saying stuff that could be easily figured out if you looked it up on Wikipedia.

A 'word' is the natural unit of data on the CPU architecture (not the maximum). Thus on a 16 bit computer a WORD is 16 bits, but on a 32 bit computer it's 32 bits.

Even a byte was not necessarily 8 bits before OS/360, it commonly was found as 7 bits, or even four bits.

Re:Wha?!?!!!

Nope. They didn't find the vulnerability by browsing the source code (almost nobody does that) and they only disclosed it so they could collect the bounty.

Re:Wha?!?!!!

[Alomex]

Microsoft is famous for reusing less code that most other software shops. On top of that the present Windows systems are a derivative of Windows NT not Windows 95, so I think it would be a safe bet to say that presently Windows contains comparatively little code from Win95.

Re:Wha?!?!!!

[phantomfive]

ok, that's kind of cool

Re:Wha?!?!!!

[phantomfive]

So a 'word' is a completely useless unit because it keeps changing depending on the CPU.

It's not useless any more than telling someone "I am here" is useless. Now, saying that a WORD is exactly 16 bits and expecting that to be portable; you are completely right, that is a silly thing to do. All the more so because Microsoft had just recently gone through the switch from 8 bit words to 16 bit words (Altair was an 8 bit computer).

I've never seen byte (octet) being anything other than 8 bits.

That doesn't surprise me at all. And yet they existed.

Re:Wha?!?!!!

[unixisc]

Yeah, but OS-X doesn't use X, never did. NEXTSTEP, its ancestor, used Display PostScript, and OS-X uses something called Quartz. Neither of which has anything remotely to do w/ X11.

Re:Wha?!?!!!

FYI: Ancient Microsoft headers defined WORD as a 16-bit signed value and DWORD as a 32-bit signed value; then the Windows API declares its functions in terms of those same WORD and DWORD typedefs. As a result, anything attempting to be even remotely cross-platform copied the standard, so now WORD means 16-bit and DWORD means 32-bit. The terms have stuck, and now they're taught in school as hard constants.

You can argue correctness until you're blue in the face, and you'll technically be "correct" by 1970s and early 1980s definitions, but you're wrong by the definitions taught in the late 80s and beyond. For at least 25 years, schools have been teaching that WORD is 16 bits, and that it doesn't matter if you're using a 32-bit or 64-bit PC. Those terms are stuck now, and you can't have the 70s/early 80s definitions back. Sorry! Language evolves. You got left behind.

Re:Wha?!?!!!

[slimjim8094]

You know, 'word' actually means something, and it never referred to a particular number of bits - it was always a property of the architecture. Generally, word size == register size == memory address == unit of memory that can be operated on. 32-bit machines are 32-bit because they have 32 bit registers, and the size of a memory address is 32 bits long (=4GB), and you can't move less than 32 bits to/from RAM.

So, yeah, it absolutely depends on the CPU, because it's the fundamental unit of the CPU. It's actually hard to imagine a less useless specification...

Re:Wha?!?!!!

[styrotech]

The point the OP was trying to make was that Linus's Law [wikipedia.org], specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes.

I disagree that it is a ridiculously idealistic statement. It is more of a misunderstood rhetorical tautology than anything else.

A discovered bug obviously had enough eyeballs on it, and an as yet undiscovered bug hasn't had enough eyeballs on it.

All it is stating is that more people looking is better for finding bugs than less people looking. Or another way a wider range of experiences, backgrounds, goals, biases and points of view looking for bugs is better than a narrower range.

Re:Wha?!?!!!

That's true of any non-trivial program. Sure, with time you can find your way. But unless you are really really bored, or getting paid, just about nobody actually does.

Re:Wha?!?!!!

[Tablizer]

I guess you believe in santa claus and the fairy tooth too.

No I don't, she's all gums.

Re:Wha?!?!!!

[rahvin112]

Why do you think those same developers decided to create wayland? X is a disaster of legacy code and it's far more work to fix it then it is to just replace it.

Re:Wha?!?!!!

[Scoth]

I am not a Windows developer, but I have been a long-time tinkerer and user. The 32-bit versions of Windows, even up to and including the previews of Windows 10, still include the same old NTVDM that provides support for 16-bit DOS and Windows programs. I've personally played around with running completely unmodified copies of MS-DOS Executive from Windows 2.x and 3.0, Program Manager, and various other ancient things with absolutely no trouble. This likely includes some very old code to allow this old stuff to run unmodified. There's been a bug or two in NTVDM that date back to the first versions of NT.

As for early Win32, modern versions of Windows, including 64-bit versions, will still run the early Win32 demos that came with some of the earliest Windows NT 3.1 betas and pre-releases (once the executable format stabilized).

Now whether this means there's actual literal old code still floating around, or just reimplementation of old libraries and APIs is anybody's guess. Based on some of the security flaws that have cropped up that date back to the earliest versions of Windows NT it certainly seems possible that there's some very old code floating around still. As a closed-source project, we'll likely never know. Though it'd be interesting to poke around in the leaked NT4/Win2k source from several years back and see if there's any clues. In general, rewriting tested, vetted code is a bad idea unless there's a good reason to rewrite it, so I'd bet there's plenty of old code kicking around in Windows in driver handling, kernel memory management, etc.

OS X is somewhat different since it was more or less reimplemented from the ground up rather than evolutionary from existing Mac OSes - though it'd be interesting to see what might be left over from NeXT or BSD. I believe Carbon is still part of the OS, even if its deprecated; I'm even less of a Mac dev guy than I am a Windows dev, so I can't speak to the existence of old code in that.

Re:Wha?!?!!!

Open Source has, by it's nature, many more testers and developers reviewing any given feature.

Absolute rubbish, this theory that open source has more testers or developers is completely unfounded. For some reason people like you seem to think that because the source code is out there this somehow adds more testers and developers which it most certainly does not.

Feel free to refute that with actual facts if you can, but unfortunately all that is ever provided is fantasy.

Proprietary often has a fiduciary obligation to deny vulnerabilities exist

No actually, they have more of an obligation to fix vulnerabilities because they actually have paying customers. Open source can have that too but rarely are those paying customers anybody other than corporations paying for fixes to further their corporate interests who, if it is proprietary software, pay for premium fixes and support anyway.

It is no wonder why intelligent people will only use open source software.

Sorry but you are wrong again. Aside from a few narrow situations open source falls short of proprietary solutions for almost all end user applications be those engineering, architectural, image editing, visualization, simulation, product design, raytracer, non-linear video editor, audio production software, etc.

It is time to stop painting the open source fantasy as reality. Open source is great in theory but in practice it simply has not delivered outside of a few corner cases.

Re:Wha?!?!!!

[phantomfive]

You know, 'word' actually means something, and it never referred to a particular number of bits

Unless you're using the Win32 API, then WORD is a constant type of exactly 16 bits. And a DWORD is exactly 32 bits.

Re:Wha?!?!!!

[grcumb]

The point the OP was trying to make was that Linus's Law [wikipedia.org], specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes.

I disagree that it is a ridiculously idealistic statement. It is more of a misunderstood rhetorical tautology than anything else.

A discovered bug obviously had enough eyeballs on it, and an as yet undiscovered bug hasn't had enough eyeballs on it.

Actually, I wish he had limited the statement to the persistence of known bugs in FOSS code bases. ESR said the bugs are easier to find as the number of beta testers and developers increases. This doesn't appear to be true. One thing that is true is that code quality is viewed differently in FOSS than in commercial, proprietary software. All too often, software businesses treat QA, debugging and code maintenance as overhead, so there's a perverse incentive to leave known bugs - even the most egregious ones - lying around indefinitely - or at least until someone publicly raises a stink. FOSS culture values code quality more highly and is less tolerant toward bugs, so generally speaking we see somewhat better code quality, and somewhat shorter known bug life than in similar proprietary projects.

Emphasis on 'generally speaking' in the above. Exceptions abound, but I think the trend is clear.

Re:Wha?!?!!!

[slimjim8094]

Yeah, but the WORD type hasn't had a relationship to the actual word size for 20 years. As you said upthread "The only reason it's called a WORD on Windows is because of legacy backwards-compatibility issues."

It was stupid for them to lock processor-dependent stuff into the API and it means you get these ridiculous anachronisms. Especially ridiculous that "WORD" is intended to mean a fixed-size value, when "word" is defined by its processor-dependence. The API is full of this nonsense - WPARAM and LPARAM originally referred to WORD- and LONG-length parameters, respectively, but now they're both 32 bit. LPCSTR - what the hell is a long pointer? So by now it's just random junk If they wanted a 16-bit value, they should've called it an int16 or a twobyte or... hell, something that described what it actually was. But no, they were intending to describe the actual word size, and then got caught with their pants down when it changed (as anybody could see it would).

Microsoft is to be commended for their backwards-compatibility, but it makes these poor design choices especially visible. By contrast, the POSIX API is almost completely free of anything machine-dependent, to the point that it can be a bit tricky to use sometimes "when the rubber meets the road". But at least it's consistent.

Re:Wha?!?!!!

[phantomfive]

It was stupid for them to lock processor-dependent stuff into the API and it means you get these ridiculous anachronisms.

So true.

Re:Wha?!?!!!

[ChunderDownunder]

I read somewhere that NTVDM isn't supported in x86-64 because "long mode" won't execute "8086 Virtual Mode".

Yet supposedly MS could resurrect the software for 64 bit Windows by running the software via the VT-x CPU extension present in most recent x86-64 CPU revisions.

But I guess the effort to make the NTVDM subsystem 64 bit clean isn't worth it...

Re:Wha?!?!!!

I remember just a few years ago, the ID software developers were really pissed that microsoft still had 32 bit wrappers around 16 bit code from the mid 1980's (hello DOS my old friend). And every version of OFFICE is a total and complete re-write from scratch. Uh-Huh, sure I believe ya. 200,000,000,000,000 others would call you a total frickin' liar to your face, but sure.

Re:Wha?!?!!!

So the new code will not have new bugs? Old wisdom says that the amount of bugs is constant, only the location changes.

Re:Wha?!?!!!

[ruir]

So you are saying they are masochists that write everything from scratch, and automagically the binaries are eerily compatible between versions. And I quite remember not long ago they discovering a 20 year old bug - but hey, I could be wrong saying they reuse code and I do not believe their markeing. http://www.techradar.com/news/...

Re:Wha?!?!!!

[OneSizeFitsNoone]

There surely is a reason all distros for years have been configuring Xorg to run with the -nolisten tcp option set by default.

Re:Wha?!?!!!

[Zappy]

Windows NT has a lineage dating back to April 1987 with the release of OS/2 1.0

Re:Wha?!?!!!

[petermgreen]

register size == memory address == unit of memory that can be operated on.

Every modern processor i'm aware of can operate on memory in 8-bit units despite having 32-bit or 64-bit register sizes and 32-bit or 64-bit memory addresses. Older processors with 8 and 16 bit register sizes typically had memory address sizes larger than their register size.

Re:Wha?!?!!!

[OneSizeFitsNoone]

And this is just a PRESENTATION LAYER?!?

OMFG!!!

Xorg is more than a presentation layer. It has networking (transport layer) and authentication capabilities, as well as device drivers for some old 2D graphic cards.

Re:Wha?!?!!!

[OneSizeFitsNoone]

To be blunt, the vulnerabilities were only disclosed so the finders could collect the bounty.

Bounty? What bounty?

Re:Wha?!?!!!

[OneSizeFitsNoone]

FYI: Ancient Microsoft headers defined WORD as a 16-bit signed value and DWORD as a 32-bit signed value; then the Windows API declares its functions in terms of those same WORD and DWORD typedefs. As a result, anything attempting to be even remotely cross-platform copied the standard, so now WORD means 16-bit and DWORD means 32-bit. The terms have stuck, and now they're taught in school as hard constants.

This only has meaning in MS proper. Hardware architectures and programming languages that were born in non-16 bits environments have WORDs that are differently sized.

Re:Wha?!?!!!

[Scoth]

I'd guess the intersection between users who require 64-bit Windows on a processor that supports VT-x and users who require the use of 16-bit programs that won't work in a virtualized environment is pretty small. Plus I suspect Microsoft likes the reduction in attack surface in removing all the old cruft, even if it could technically be reworked to run.

Re:Wha?!?!!!

[OneSizeFitsNoone]

It is time to stop painting the open source fantasy as reality. Open source is great in theory but in practice it simply has not delivered outside of a few corner cases.

Actually the opposite is demonstrably true: http://www.zdnet.com/article/c...
Coverity finds open source software quality better than proprietary code
"In 2013, code quality of open-source projects using the Scan service surpassed that of proprietary projects at all code base sizes, which further highlights the open source community’s strong commitment to development testing."

Re:Wha?!?!!!

[OneSizeFitsNoone]

Nope. They didn't find the vulnerability by browsing the source code (almost nobody does that) and they only disclosed it so they could collect the bounty.

Wrong on both accounts. The bugs were found through a systematical analysis of the code, and no one earned any bounty for doing so.

Re:Wha?!?!!!

Actually the opposite is demonstrably true

Wrong. As I already said, aside from a few narrow situations open source falls short of proprietary solutions for almost all end user applications, the open source ones are not even viable solutions for the problem. Nobody cares if the code of project A is better than the code of project B if project A isn't capable of solving the problem.

Coverity finds open source software quality better than proprietary code

Better than what? It cant even compete in the major categories I listed! So what exactly are you comparing to? For example I dont care if Coverity tells me the GIMP is better than Photoshop because Photoshop is still a better product overall.

So the real question is would you choose the product that a Coverity analysis tells you it is better? Or would you choose the product that is actually capable of achieving what you want to do? In this case the two are mutually exclusive yet you are advocating for the former, which is stupid.

It is unbelievable how easily zealots can get fooled into believing this stupidity when it can not possibly be even close to an apples to apples comparison, how can you be so stupid as to not see that? Just look at it, they have compared an unspecified 741 open source projects of an average 340 KLOC to an unspecified 493 proprietary projects of an average 1.3 MLOC and you think you can draw a meaningful comparison from that?

Re:Wha?!?!!!

[Electricity+Likes+Me]

I'd love to see some example workflows of how you work on something like X - or the kernel, for different classes of bug hunting. It's the type of thing I've always wanted to dive into, but just the thought of trying to get to the stage where I can tweak/run/debug is incredibly daunting.

from TFA

Configure the X server to prohibit X connections from the network by passing the -nolisten tcp command line option to the X server. Many OS distributions already set this option by default, and it will be set by default in the upstream X.Org release starting with Xorg 1.17.

Re:from TFA

[Russ1642]

Configure the X server to prohibit X connections from the network by passing the -nolisten tcp command line option to the X server.

Well duh!

Re:from TFA

And only one of the bugs is from 1987, and it can only be triggered AFTER the client has authenticated itself.

Re:from TFA

[crow]

Doesn't prohibiting network connections to the X server rather defeat one of the major features of X?

Granted, I think I usually am tunneling my X connections through ssh, so perhaps this doesn't apply as widely as it did a few years ago.

Re:from TFA

[morgauxo]

I USE remote X connections. Mostly over the LAN.

Re:from TFA

[Uecker]

Yes, most Linux distributions seem to have used -tcp nolisten for quite a while. ssh -X still works fine and is very useful (IMHO).

Re:from TFA

[Uecker]

Why can't you use ssh -X ?

Re:from TFA

[LordThyGod]

Yes, most Linux distributions seem to have used -tcp nolisten for quite a while. ssh -X still works fine and is very useful (IMHO).

Very long time. Most typical server installations don't even install X, so if you are wanting to exploit this, you are going to have to look really hard for somebody on your LAN running an ancient distro who's disabled the firewall and other remote auth stuff.

Re:from TFA

[skids]

These days for heavy remote X use you use stuff like Xpra, also over SSH, as it can leverage hardware encoders which the X protocol didn't have at its disposal back when it was designed.

Re:from TFA

[jedidiah]

Temporarily disabling a feature is not the same as permanently doing so. It's like saying that you always need to run as root. You don't. You only need to enable root level access when it's actually needed. The same goes for outward facing network services.

Similarly MacOS doesn't enable the ssh server by default.

Re:from TFA

[armanox]

I commonly use XDMCP because it's simply easier and faster for a handful of the systems I work with (given, the SGI's are quite slow by today's standards...). Also trying to explain that to some Windows people when they insisted they needed to install Oracle DB on Solaris systems (they wanted me to tell them how to get a remote GUI on Solaris 9 and 10) it was far easier to point them to XDMCP.

Xorg?

I don't see that program listed in my Start menu. Whew, guess I'm safe!

Re:Xorg?

[ChunderDownunder]

a Start menu, didn't Microsoft remove that for security reasons?

In before the trolls

Open Source does not guarantee that all of the bugs will be found, it merely guarantees that all of the bugs can be found.

Re:In before the trolls

We don't disagree, but we contest The Cathedral and The Bazaar whimsical and harmful ideology!

OPEN SOURCE SOFTWARE IS NOT BETTER THAN CLOSED SOURCE. It is merely easier to steal...

Re:In before the trolls

[sjames]

It is better because the bugs are more likely to be found and fixed. Note that more likely is not at all the same as 100% likely.

Re:In before the trolls

Open Source does not guarantee that all of the bugs will be found, it merely guarantees that all of the bugs can be found.

You see, the ironic thing here is that even when you put the full source in the wild, the amount of people looking is often very small. Believe it or not, there is often much more engineers looking for, finding, and properly fixing bugs in closed source projects. Even inside a single company.

The possibility that anyone can look the source is just theoretical. There's many things of goodwill that people could do in theory. At this point it is good to ask the question, is looking at the open source code something that people are actually doing? Who is doing it? Have you tried it? What did it feel like?

Re:In before the trolls

Believe it or not, there is often much more engineers looking for, finding, and properly fixing bugs in closed source projects. Even inside a single company.

Most vendors I've seen only care about bugs that keep the product from shipping. E.g. a wireless vendor wants its devices to pass 802.11 interoperability testing (making sure it works with your router), but spends zero time on security testing (handling corner cases and malformed packets, etc).

Re:In before the trolls

I like that.

However, I would point out the army of dudes making malware for windows may disagree.

Reading assembler without comments is *difficult*. But not impossible.

Dont think so? No? See MAME/MESS. They basically reverse engineered thousands of systems using the binary code and a bit of hands on with the hardware.

Re:In before the trolls

[EETech1]

If every version of Windows had a flaw, how many of them could you fix?

Re:In before the trolls

[sjames]

Exactly my point. However small the chance that I will spot and fix a flaw in Free Software, the odds are better than that I will find and fix a bug in proprietary software where I am not even allowed to look at the source.

Re:In before the trolls

One.

Since every version of Windows has multiple flaws, and there's so many of them and the code is really, really big, they won't all be getting fixed.

But, that's not really the question that you asked...

Re:In before the trolls

[grep+-v+'.*'+*]

Open Source ... merely guarantees that all of the bugs can be found.

Well it seems like Closed Source "merely guarantees that all of the bugs can be found" by crackers. (NO, they're not hackers.) They seem to do a pretty good job of finding and exploiting problems withOUT any copy of the source for reference.

(Well, I presume they don't. Maybe Bill Gates has a whole independent second fortune that we don't know about. Or: how DID Balmer afford to pay $2B for a bunch of guys walking around while bouncing a ball?)

so much for open source bug discovery being better

One of the big claims is because you can't look at closed source code, bugs go undetected for longer.... 1987?

What about XFree86?

[halivar]

Or is that project even still around?

Re:What about XFree86?

[halivar]

Wow. Nevermind. It died in 2008. Y'all, I'm old and time slips by me pretty quick. Sorry.

Re:What about XFree86?

Man, don't scare me. What should i consider "old"?

Re:What about XFree86?

[jellomizer]

Which is too bad.
I was able to get XFree86 to work on the stuff that autodetect just fails on.
In most particular is my old netbooks 1024x600 resolution monitor which it wants to me to run at 800x600 stretched.

Re:What about XFree86?

[Pope+Hagbard]

X.org started from a fork of XFree86, so it wouldn't make any difference.

Re:What about XFree86?

[Trax3001BBS]

Man, don't scare me. What should i consider "old"?

It's a state of mind really. I'm 61 and could be called old, hell I get senior discounts now.

I have no illnesses and feel as well as I ever have, or I could dwell on every ache and pain and start acting like I was 61 instead of a "kid" (say 35 yrs old : } ) still.

Re:What about XFree86?

Looks like your memory isn't what it used to be. You forgot to tell us to get off your lawn.

Re:so much for open source bug discovery being bet

There are remnants of DOS code in the newest versions of Windows. Has anyone done a proper analysis of MORE or XCOPY to ensure they're perfectly safe? Those pieces of code go back significantly further than 1987...

original story

[Uecker]

Original story:
http://it.slashdot.org/story/1...
CCC talk:
http://media.ccc.de/browse/con...

Re:so much for open source bug discovery being bet

[Etzos]

While many people seem to say that, I don't believe that's the actual claim. I think the claim is that it's easier to find bugs in free/open source software because the code can be read by everyone. That is, it's more likely that if there is a bug it will be found and fixed. While that may imply, to a certain degree, that bugs can go undetected for longer in closed source software it certainly doesn't state it outright. And in large code bases like X.org it's hard to imagine that old pieces of code that haven't been looked at in a long time wouldn't have some rather large vulnerabilities. At least now some of them have been found and patched.

Plus I think it's also important to think about it from this angle: Do you have any examples of closed-source software that has been in use since 1987 that hasn't had any bugs discovered recently?

So what does it affect?

[armanox]

So, what exactly is impacted here? Are all X11 implementations affected, or just XFree86 and X.org? I'm seeing SGI sources listed as impacted, which would point to any X11 implentation that uses GLX being impacted (including Xsgi on my IRIX systems), and seeing the age of the bug, I would imagine it would be more proper to point to things based on XFree86 rather then X.org. People forget that X11 is bigger then X.org, and the X.org team wasn't always the only game in town (if they didn't have a monopoly we wouldn't be arguing about Wayland....).

Re:So what does it affect?

[sjames]

Since the code that had the vulnerability was originally reference code, it is quite possible (but not known) that proprietary implementations also have the bug.

Re:So what does it affect?

[hansot]

It is a while ago (more than 20 years!), but I am certain that we fixed most of the issues described in CVE-2014-8092 and CVE-2014-8095 when porting X11R4 and we did report those bugs to the X Consortium (actually a precursor of Xorg.)

I am also quite sure that the large companies (Sun, SGI maybe IBM) also fixed and possibly reported those bugs. I can only conclude that the software engineering practices of the X developers were a bit sub-standard, even for those days and it also makes me quite suspicious about the way-of-working of the present OpenDesktop and Xorg developers.

I have a strong impression that they are more focused on development of Wayland anyhow. And that is not a good thing...

Re:So what does it affect?

[armanox]

Mind if I ask which porting project you were a part of? There used to be quite a bit of X11 implementations.

Re:So what does it affect?

[hansot]

For Sony NEWS, a fairly short lived product. The workstations were initially based on Motorola 68K, later on MIPS R3000 and up. The OS was 4.3 BSD in the beginning, later also SVR4. The X ports were quite straightforward, mostly adaption to hardware and fighting the compiler (slightly quick-and-dirty PCC based). And of course the bugs we found in X itself.

Re:so much for open source bug discovery being bet

[jellomizer]

Zealots are deniers.
The problem is there are enough vocal Zealots to proclaim that how a product is licensed some how makes it superior/inferior to an other.
But in general the more confident you are in your products superiority, the more problems you ignore or don't bother looking for.

OpenBSD comes to the rescue

Why on earth are so many systems not running a non-priveledged X is the real question we should be asking.

Re:OpenBSD comes to the rescue

[bluefoxlucid]

They are, in fact. It's just that you can still gain access to your non-privileged X server, and have access as the user running X. You can then make it run any shellcode you want, or return to libc and run some shell commands (doesn't require writable/executable memory this way), thus allowing for injection of a local privilege escalation attack or some sort of information leak (e.g. concurrent brute forcing of passwords). In the most basic case, landing as the non-privileged X user allows you to inspect your own processes, i.e. the X server itself, and keylog and harvest passwords.

Re:OpenBSD comes to the rescue

[Uecker]

Yes.

What about systemd's code?

X.org is developed by the freedesktop.org community, right? And systemd is also developed by the freedesktop.org community, right? So if X.org's code has serious flaws going back decades, and the freedesktop.org community didn't detect them sooner, then I think we should assume (more than we already do) that all of their software, especially newer and immature software like systemd, has similar undetected flaws. This should cause Linux distros like Debian to immediately rethink the decision to integrate systemd. In fact, the safest thing to do at this point would be for Debian to completely remove systemd, until is has been proven not to contain flaws.

Re:What about systemd's code?

I agree, we should remove all software until they are proven to not contain flaws. This will make everything safer!

Re: What about systemd's code?

Or more simply put: You have no idea what so ever freedesktop.org is at all.

Re:so much for open source bug discovery being bet

Don't forget to compare bugs from active exploits in use:

When I read about Linux vulnerabilities, they are bugs, and -could- be used for exploits.

When I seem to read about Windows vulnerabilities, they are -actively being exploited-, which means it isn't just a security problem, but the hackers are already gorging themselves at the buffet table and swilling the champagne at this second.

Re:so much for open source bug discovery being bet

[king+neckbeard]

The manner in which you state it seems far more common in strawman arguments than the actual arguments being made. Most claims regarding FOSS security are rooted in averages in situations with all other factors being roughly equal.

Re:so much for open source bug discovery being bet

It turns out that nobody likes having to retrain their talking points when reality intervenes. Just as much, nobody seems ready to discuss a nuanced issue that cannot be boiled down to a few talking points.

Re:Wha?!?!!! Yup, you betcha!

[mmell]

That's why most respectable Linux administrators don't run X on servers. Most of us just turn off that pesky GUI so that we can get work done.

I don't suppose M$ has some kind of command-line mode for their servers? Some sort of Disk Operating System which could be used to provide a runtime environment for applications and services without requiring the use of a large, resource-hogging graphical interface which (as has been pointed out) is a great place to find exploitable code.

It's proprietary code! Surely the vendor has the most noble and idealized motives in making sure their code's not merely good enough to sell, it's actually good, with highly trained and competent professionals dedicated to ensuring their customer's safety after they take the money.

X11?

[MMC+Monster]

Just to clarify, if we use X10 we're good?

Re:X11?

[fnj]

Wait til you see X12.

Re:X11?

I think he was talking about the company X10 that sells cameras and remote controlled light switches. Their website is straight from 1995, and their advertising practices scream "THIS COMPANY IS PROBABLY NOT LEGIT," but alas they actually are a legit company.

I've been using X10 since they were called RadioShack plug 'n power. Awesome products. Terrible company/management.

I guess you've never seen the internals of MATLAB.

OOOOOlllllllddddddd....

Re:Wha?!?!!! Yup, you betcha!

There is actually a windows version (Server Core, IIRC) that boots to a terminal ... window. Better than nothing, I guess.

Re:Wha?!?!!! Yup, you betcha!

[lgw]

MS has had a fully-supported "no GUI" server option since Server 2012, but has been possible to admin CLI-only, without 3rd part add-ins, since 2008 (though the GUI would still be running, if you don't provide remote access to it, it might as well not be), and with 3rd-prty add-ins since 2003.

However, managing multiple Windows servers is more about group policy than logging into any servers, GUI, CLI, or carrier pigeon. I've worked with management systems for 1000s of Windows servers, and the only reason you'd ever log into a server is to recover if something went horribly with a new deployment, and you wanted to find out why (to debug your deployment - just recovering the server was automatic).

wayland

"code dating back to 1987 is affected "

Wayland is better, because it can have only bugs that affect code dating back to 2008 :)

Re:wayland

[unixisc]

I am interested in Wayland, but question is - if the same people who wrote X11 are now writing Wayland, why would we trust Wayland to be any better, or not have the same bugs? Are the bugs related to X's remote access, which Wayland dumps for RDP/VCN?

Re:wayland

[OneSizeFitsNoone]

No one of the people who designed and coded X11 in the eighties are now busy on Wayland that I know of.

News at 11!!!

[sl3xd]

Anybody who's really looked at security around X11 has known for decades that it isn't that great.

I even remember that as recently as a year ago, ATI's drivers specifically tell you to use "xhost +" to enable GPU compute jobs using ATI devices, which resulted in a lot of "LOL NOPE" in the HPC industry. (It's trivial to root a machine that has had "xhost +" executed inside an X11 session.)

X11 having critical security holes should surprise no one. There's a reason internet-facing servers don't have X11, and it's not just because you don't need a GUI sucking up resources.

On the other hand, I'm thoroughly grateful that somebody decided to do something about it.

Re:News at 11!!!

So next time someone reports a critical security issue in Windows it'll be okay because Windows having critical security holes is a surprise to no one? Or when the next online-only EA game's servers explode on launch day, it'll be okay because we've all grown to expect it?
Or is it just that you're an FOSS apologist?

Re: News at 11!!!

The OP criticized X11 outright. That's the opposite of what an apologist does.

At what point did the OP either try to justify the hole, or even mention Microsoft?

Re:so much for open source bug discovery being bet

One of the big claims is because you can't look at closed source code, bugs go undetected for longer.... 1987?

Still a quicker fix than the two in Windows dating back even further, one of which is still vulnerable remotely.

Still much better than the greater-than-zero number of zero day exploits in Windows you don't even know about, nor could even prove is a low number.
Might as well make up a number like "Windows still contains 20,000 unpatched exploits" for all you can tell and prove to us.

So yea, 2-3 is much much less than 20000, so linux still beats windows with its speedy bug fixes!

What do these vulnerabilities mean for avg users?

SO: what do these bugs mean for someone running say Debian Wheezy with its out-of-the-box X and iptables settings for typical consumer desktop use with a home router ie not a web server? What is there that makes that system vulnerable to attack?

you know what this means?

Those zer0-day script kiddies I hired must have been distracted by the drop in Xbox' price.

Re:Wha?!?!!! Yup, you betcha!

"I don't suppose M$ has some kind of command-line mode for their servers? "
MS has had a command line interface (Powershell) for administrating servers for quite awhile a while now moron. It even comes with a handy SDK that helps writing installers and automating system tasks from the application layer when required. The fact you don't know that means you turned off more than your GUI. I would also question your claim of being a respectable Linux administrator if you have to ask such a stupid question.

1987?

X.org didn't exist until this century.

Time to stop adding features, and audit instead

Linux suffers from too much "add feature Y asap" versus doing security audits on the code. All Open Source programs should go through a year of security audits, for starters. Who knows what is lurking in that old code?

Re:Time to stop adding features, and audit instead

[toonces33]

That's not a problem that is unique to Linux however. Many commercial products have the same issues - the marketing and planning people want new features as that helps them sell upgrades and maintenance, and in the past those sorts of things were prioritized higher than things like a security audit which management concluded weren't something that one could sell.

It is only when customers demand security audits of the products that they buy that this will change.

Guess I'm finally goinna have to update to X11R5

[anonymous_wombat]

I hope this isn't going to happen every 24 years.

Just tell me that Motif is still safe.

Re:so much for open source bug discovery being bet

> how a product is licensed some how makes it superior/inferior to an other

Ok, take an old radio. You know, those that were repairable, that you could open up with a screwdriver.

Now, ruin all screws so that it can't be opened anymore. Use glue, melt it, whatever.

Now, tell me with a straight face that it has not become inferior just because, technically, it sounds the same and receives the same.

Famous for the opposite...

Under the Hood, Windows 7 Is Vista's Twin

Re:Famous for the opposite...

[Alomex]

Windows 7 was the product release of the beta version otherwise known as Windows Vista.

Netcraft confirms

X is dying.

Re:Guess I'm finally goinna have to update to X11R

[armanox]

Well....I would stick with OPEN LOOK just to be sure.

Re:so much for open source bug discovery being bet

One of the big claims is because you can't look at closed source code, bugs go undetected for longer.... 1987?
Well, there are two things to respond to here. Covarity is a company that was spun off from a university research project that used software to automatically check other software for bugs and programming errors. It was enhanced, and then its use was underwritten by the US Department of Homeland Security to check the GNU/Linux ecosystem (the kernel plus about 50 other large pieces of software). Instead of 'mere speculation' by some armchair quarterback, microsoft zealot or slashdot pundit, they ran this thing against all of this software. They then took the source of large closed source software (including operating systems the poster would embrace like a $2 streetwalker: eg MS Windows). And they found that GNU/Linux had 20x fewer bugs than commercial software, and the bugs that were there were far less dangerous than the commercial software. 2. The bug found here (assuming Covarity went over the X-windows system), was too subtle for Covarity to find. 3) Its better to find a bug from 1987 and fix it, than to go on about how good your software is, and have have someone break it when its a greater span of years than from 1987 to now.

Re:so much for open source bug discovery being bet

[jellomizer]

Well if the new radio's are smaller, lighter and do not need to be (better components, less moving, or parts that can move...) repaired, and offer near identical sound. Then Yes your old radio is inferior to the new one.

I just wish

[kilodelta]

Ubuntu would fix the X.org problems in their latest version. Nothing like the GUI locking up and then going into a command prompt and seeing xorg sucking up all the system resources.

Re: Wha?!?!!! Yup, you betcha!

whoooooooosh. you hear that AC?

Re:Wha?!?!!! Yup, you betcha!

[mmell]

Who said I was respectable?

Answer a question, mmell

What's it like getting your ass kicked by apk + downmodding to hide it 20x http://tech.slashdot.org/comme... ?

Answer a question, mmell

What's it like getting your ass kicked by apk + downmodding to hide it 20x http://tech.slashdot.org/comme... ?