Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

Re:Wha?!?!!!

[ArcadeMan]

To be blunt, it took over 26 years to find even with the source code and all the programmers on the planet who could to look at it.

If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

Re:Wha?!?!!!

To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

The bugs could potentially be found no matter if the software was open or closed-source. There is no evidence that proves your statement, unless of course you happen to work for Xi Graphics (authors of the closed-source X windows server, a.k.a. Accelerated-X, which is what the free XFree86 was supposed to supercede) and have a story to share there.

The point the OP was trying to make was that Linus's Law, specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes. The Wikipedia reference I cite goes into a bit more depth as to why this socially-propagated belief in the open-source world is unfounded and has been repeatedly proven false. The short of it: just because the source code is available and viewable does not mean that a person viewing it has the capability, familiarity, or time to invest in reverse-engineering it and finding flaws. Anecdotally, in my experience most open-source users can't understand the code of the applications they use: they're simply generic end-users. Open vs. closed has no real bearing when you consider that data point (i.e. having the source available to read/view != having the capability to understand said source).

Please note my statement doesn't mean closed-source has a defined/distinct advantage over open-source. They both have their pros and cons. But this age-old belief that open-source is superior solely because "the code is out there" needs to stop. Ironically, that subsection of ESR's the Cathedral and the Bazaar may in fact be one of the most damaging things to the open-source movement ever written simply because of it's head-in-the-sand viewpoint; other subsections (e.g. "The Importance of Having Users") are much more justified.

But hey, that's just my two cents as someone who's been in all of this since the early 90s, and I'm just one person. With one set of eyes. ;-)

Re:Wha?!?!!! Yup, you betcha!

[lgw]

MS has had a fully-supported "no GUI" server option since Server 2012, but has been possible to admin CLI-only, without 3rd part add-ins, since 2008 (though the GUI would still be running, if you don't provide remote access to it, it might as well not be), and with 3rd-prty add-ins since 2003.

However, managing multiple Windows servers is more about group policy than logging into any servers, GUI, CLI, or carrier pigeon. I've worked with management systems for 1000s of Windows servers, and the only reason you'd ever log into a server is to recover if something went horribly with a new deployment, and you wanted to find out why (to debug your deployment - just recovering the server was automatic).

Re:Wha?!?!!!

[Rei]

Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.

Re:Wha?!?!!!

[metamatic]

Actually, OS X contains code and bugs that date back to the 1970s.