[Gllug] A little OT: On the limits of VLANs

Nix nix at esperi.org.uk
Wed May 12 08:11:06 UTC 2010

On 9 May 2010, Tethys uttered the following:

> Nix writes:
>>I don't see a bug about requiring X client libraries.
> I do. The bloat (and there's a lot, because modern apps no longer just
> use Xlib/Xt) means there's an increased attack surface, and makes the

Well, if the app is using something like Qt, sure. But both Qt and Gtk
refuse to start when run as root (IIRC about Qt, I'm sure about Gtk),
and xlib has been used in privileged situations for so very long now
that, even though it was not written to be secure, it has been audited
more than once and most obvious security holes are gone (this being all
you can expect of any software at all).

> update typically brings countless package changes when X is involved.

Er, most of those libraries are tiny protocol wrappers and have almost
nothing to *be* insecure. Many have never had a single security hole
reported against them (and in any case are used by not very many

> Changes are the enemy of stability, and are thus to be minimized on a
> server.

... and most X libraries change once in a blue moon.

>         The less that's installed, the less that needs to be kept up
> to date. Furthermore, when I get a support call and I'm in the pub,
> I can't fix it on my mobile phone if it requires X. If I can ssh in

Some of these programs *can* use X *if available*; others simply want an
X server but don't render anything on it (e.g. the aforementioned Oracle
crap), so Xvfb will do.

> and fix it on the command line, then it's fine. Also, GUI apps don't
> work over a serial console, and are thus undesirable on a server. Yes,
> maybe I'm seen as a dinosaur for having such views, but I acquired
> them through many (painful) years of experience.

Oh, as someone regularly stuck at the wrong end of a very slow
narrowband link I *completely* understand your position.
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list