[Gllug] A little OT: On the limits of VLANs
Nix
nix at esperi.org.uk
Wed May 12 08:11:06 UTC 2010
On 9 May 2010, Tethys uttered the following:
> Nix writes:
>
>>I don't see a bug about requiring X client libraries.
>
> I do. The bloat (and there's a lot, because modern apps no longer just
> use Xlib/Xt) means there's an increased attack surface, and makes the
Well, if the app is using something like Qt, sure. But both Qt and Gtk
refuse to start when run as root (IIRC about Qt, I'm sure about Gtk),
and xlib has been used in privileged situations for so very long now
that, even though it was not written to be secure, it has been audited
more than once and most obvious security holes are gone (this being all
you can expect of any software at all).
> update typically brings countless package changes when X is involved.
Er, most of those libraries are tiny protocol wrappers and have almost
nothing to *be* insecure. Many have never had a single security hole
reported against them (and in any case are used by not very many
programs).
> Changes are the enemy of stability, and are thus to be minimized on a
> server.
... and most X libraries change once in a blue moon.
> The less that's installed, the less that needs to be kept up
> to date. Furthermore, when I get a support call and I'm in the pub,
> I can't fix it on my mobile phone if it requires X. If I can ssh in
Some of these programs *can* use X *if available*; others simply want an
X server but don't render anything on it (e.g. the aforementioned Oracle
crap), so Xvfb will do.
> and fix it on the command line, then it's fine. Also, GUI apps don't
> work over a serial console, and are thus undesirable on a server. Yes,
> maybe I'm seen as a dinosaur for having such views, but I acquired
> them through many (painful) years of experience.
Oh, as someone regularly stuck at the wrong end of a very slow
narrowband link I *completely* understand your position.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list