1. 86
  1. 35

    The real gold nugget is in the bug tracker:

    A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play… when the screensaver core dumped and they actually hacked their way in! wow, those little hackers…

    I have this unpopular opinion that, while here in the open source community we’re used to poking fun at MICROS~1 Windows because it crashes and it’s insecure, lots and lots of things have changed in Windows land since 1998. Security-wise, I’d be much more inclined to trust a Windows 10 machine than an Ubuntu machine, in spite of its malware telemetry.

    1. 13

      I agree. I am by no means a Windows fan (quite the opposite, *nix user since 1994), but Microsoft has really invested in security. Some examples:

      • You can pick a set of folders for malware protection with controlled folder access. Only trusted applications can access those folders. Attempted access by a non-trusted application requires permission of the user.

      • Virtualization-based security uses Hyper-V to run the Windows kernel at a less privileged level with hardware isolation. Sensitive information is stored in memory not accessible to the main Window kernel. The same mechanism is used to verify driver signatures, etc. (so that a compromised kernel cannot load rogue drivers).

      • A subset of store apps is sandboxed (they loosened the requirement to attract more traditional apps I guess).

      • Easy, user-friendly support for running a Edge browser that runs in an isolated VM.

      • A driver and application verification model.

      There are some exceptions to this in the unix world, such as macOS and Fedora (with good secure boot support with module signing, SELinux, a push of Flatpaks with sandboxing, however imperfect), which do defense in depth. But largely the Linux threat model is as if we are still in the 80’ies or 90’ies, where gaining root access is the primary goal.

      1. 9

        And it’s not just that the threat model is out of date (which it is!) but also that the tech stack has long, long exceeded the complexity level at which people who work in their spare time can use it and not screw up, no matter how good they are and despite their best intentions. See my second-favourite KDE bug: https://bugs.kde.org/show_bug.cgi?id=389815 .

        People look at the threat models of operating systems like Windows and they (rightfully, to some degree) think that they’re an artefact of the closed-source development model producing applications distributed through all sorts of channels, where of course you’re not going to trust applications you got from the Internet.

        But lots of bits in that threat model are there to guard against all sorts of bugs that can get exploited, not directly against deliberately malicious applications. If you’re going to adopt the bug making machine (complex libraries and protocols, development and release habits like rolling releases and the like), you have to adopt the bug protection mechanisms, too, otherwise they keep biting.

        1. 2

          Wow, that bug is truly outrageous. Remote code execution with virtually no effort.

        2. 9

          Microsoft significantly shaped on security since ~2003 when XP was a superfund site. They’ve pushed many security mitigations (like W^X) into production (even with the extreme backwards compatibility situation) that even Theo de Raadt actually thought they were doing a better job than the Linux ecosystem. Not to mention that I think they’re the only OS that actually ships formally verified drivers…

        3. 3

          The telemetry is bad on non professional versions, if you get the enterprise version is pretty much clean.

        4. 11

          The bit about copyright violations is particularly bad, too.

            1. 17

              That seems less an “other side” and more “so what?”, especially in his response to jwz’s response, but it’s indeed interesting to have more context.

              1. 7

                “Your security arguments turned out to be incorrect. So, stop?” Did they though? Did they REALLY?

                1. 6

                  Interesting, but I’m inclined to be on jwz’s side

              2. 8

                How does slock compare to xscreensaver?

                1. 10

                  I dare you to find a bug in it. ;)

                  Keep in mind the remarks on its manual page though, i.e. that you have to disable VT-switching and the X11-kill-switch. Apart from that, when the mouse or keyboard is grabbed by another application, it will wait for them to be released. Until then though, the screen won’t turn black, so you at least know that your screen is not locked. We can’t fix that limitation in X11, but apart from that, once your screen is black, you should be good to go.

                  More in-depth testing is appreciated though, but we discussed more or less all aspects of slock and X11-limitations deeply at the suckless conference in 2016.

                  1. 3

                    I wonder if you can do some sort of fuzz testing on the input with these kind of applications; that probably would have caught the “my kids are randomly smashing my keyboard”-case.

                    I don’t really care enough about the security of these kind of applications to work on it (I just use slock to prevent the “opportunist passer-by”-scenario), but this is probably the best way to test these kind of things.

                2. 7

                  This mistake of the X11 architecture can never, ever be fixed. X11 is too old, too ossified, and has too many quagmire-trapped stakeholders to ever make any meaningful changes to it again. That’s why people keep trying to replace X11 – and failing, because it’s too entrenched.

                  Meanwhile, Sway, Wayland and Swaylock are doing fine, and have been doing fine for years.

                  Android too.

                  Both X and XScreensaver are replaceable.

                  1. 18

                    Well, with Sway having the very same issues.

                    1. 3

                      That is disconcerting! And I have never seen this problem. But I still think both X and XScreensaver are replaceable.

                      The author of XScreensaver obviously have other good points, though.

                      1. 2

                        GNOME is probably in the best position to handle this – with everything being integrated in the gnome-shell process, the whole class of interprocess issues (like “lock process crashes”) is gone. If the lock crashes, it takes the whole desktop session with it :)

                        But yeah, it should be quite easy to make the wlroots world more reliable against lock crashes. In addition to input-inhibit, we could have a “hardcore mode” protocol where the compositor would e.g. not present any other windows until it gets an actual positive confirmation from the lockscreen, and restarts it if it crashes.

                        Thing is, most people don’t care enough about screen locking security these days. It’s mostly a casual deterrent against kids/parents/coworkers/whatever. Most modern threats don’t have physical access at all.

                        1. 5

                          Most modern threats don’t have physical access at all.

                          FWIW, I know of a place where people with Linux workstations are explicitly required to log out of their sessions when leaving their desks, rather than lock their screens, specifically because it’s notoriously finicky and because not everyone who is in an office is guaranteed to be a coworker, or a coworker with good intentions.

                          Maybe most modern threats don’t have physical access at all but that doesn’t stop old-school threats like “somebody copies data off of someone’s computer” from working quite reliably.

                    2. 5

                      Meanwhile, Sway, Wayland and Swaylock are doing fine, and have been doing fine for years.

                      The original argument (that jwz repeats in this post) predates Wayland by about five years, and actually translates quite well to Wayland, too. The Wayland equivalent of this bug – a screen locker that does not fail safely – is just as bad.

                      (Edit: granted, the big and very relevant deal about X11 is that it does make writing a locker that fails safely really, really hard. Hell, it makes it obnoxiously hard to write a locker in the first place, without even thinking about how it might fail. My point is definitely not that you’re wrong, IMHO you are absolutely right, just that the post ought to be read in a slightly different key – it’s about a debate, and an argument, that predate the first useful Wayland compositors for desktops by 10+ years)

                    3. 8

                      Switched over to Mint recently and was displeased to find out that I’d have to go through multiple hoops to get xscreeensaver setup. Wonderful experience otherwise, but * come on*.

                      Please, distro people, stop not shipping xscreensaver. Staaaaaaaaahp.

                      Just use grandpa Zawinski’s prior art.

                      It is more secure and it looks better.

                      1. 3

                        Can anyone suggest a xscreensaver alternative that doesn’t pull a bunch of dependencies?

                        resolving dependencies...
                        looking for conflicting packages...
                        
                        Packages (21) gdk-pixbuf-xlib-2.40.2-1  glu-9.0.1-2  libglade-2.6.4-7  perl-clone-0.45-2  perl-encode-locale-1.05-7  perl-file-listing-6.14-1  perl-html-parser-3.75-1
                                      perl-html-tagset-3.20-10  perl-http-cookies-6.10-1  perl-http-daemon-6.06-2  perl-http-date-6.05-3  perl-http-message-6.27-1  perl-http-negotiate-6.01-8
                                      perl-io-html-1.004-1  perl-libwww-6.52-1  perl-lwp-mediatypes-6.02-8  perl-net-http-6.20-1  perl-try-tiny-0.30-5  perl-www-robotrules-6.02-8
                                      xorg-appres-1.0.5-2  xscreensaver-5.44-3
                        

                        I mean, is this reasonable for everyone?

                        1. 10

                          I use i3lock. Its direct dependencies look reasonable, although I don’t know what they recursively expand to.

                          With that said, I don’t know whether it is “secure” or not because my threat model doesn’t really care if it is or not. I only use it to prevent cats and children from messing around on the keyboard. And for that, it works well.

                          1. 4

                            Try slock, which has no dependencies except X11 itself.

                            1. 2

                              Build from source and disable the savers/hacks that require the dependencies you aren’t happy about.

                              1. 1

                                I don’t want any screensaver, just want my screen to lock reliably. I guess I’ll try that.

                                  1. 2

                                    It’s a great compromise when using X11, but the whole concept of screen savers on X11 is just so fragile. Actually suspending the session even if the screensaver should crash would be much cleaner (which is how every other platform, and also wayland handle it).

                                    What I’m even more surprised about is that you said this compromise is possible with 25yo tech - why did no distro actually do any of this before?

                                  2. 0

                                    What about physlock?

                                    1. 5

                                      No idea about physlock or any other alternative, I am asking because this sentence kind of make me think:

                                      If you are not running XScreenSaver on Linux, then it is safe to assume that your screen does not lock.

                                      Though this person’s attitude kind of bothers me, if you run ./configure on xscreensaver you read stuff like:

                                      configure: error: Your system doesn't have "bc", which has been a standard
                                                        part of Unix since the 1970s.  Come back when your vendor
                                                        has grown a clue.
                                      

                                      hm. Ok? I guess I don’t have to like it, I just don’t see the need for that.

                                      1. 19

                                        jwz ragequit the software industry some 20 years ago and has been trolling the industry ever since. Just some context. He’s pretty funny but can be a bit of an ass at times 🤷

                                        1. 18

                                          He’s also pretty reliably 100% correct about software. This may or may not correlate with the ragequitting.

                                          1. 3

                                            While ragequitting may not correlate with being correct about software, being correct about software is absolutely no excuse for being an ass.

                                            1. 7

                                              It’s not his job to put on a customer support demeanor while he says what he wants.

                                              He gets to do as he likes. There are worse crimes than being an ass, such as being an ass to undeserving people perhaps. The configure script above is being an ass at the right people, even if it does editorialize (again, not a problem or crime, and really software could use attitudes!)

                                              1. 4

                                                Lots of people in our industry seem to think that being a good developer you can behave like a 5 years old. That’s sad.

                                                1. 4

                                                  Especially in creative fields, you may choose to portray yourself any way you choose. You don’t owe anybody a pleasant attitude, unless of course you want to be pleasant to someone or everybody.

                                                  For some people, being pleasant takes a lot of work. I’m not paying those people, let alone to be pleasant, so why do I demand a specific attitude?

                                                  1. 2

                                                    Being pleasant may take work, but being an asshole requires some effort too. Unless you are one to begin with and then it comes naturally of course. :D

                                                2. 3

                                                  How is the bc comment being an ass at the right people? Plenty of distros don’t ship with bc by default, you can just install it. What is a “standard part of unix” anyway?

                                                  1. 9

                                                    bc is part of POSIX. Those distros are being POSIX-incompatible.

                                                    1. 8

                                                      As a developer for Unix(-like) systems, you should be able to rely on POSIX tools (sh, awk, bc etc.) being installed.

                                                  2. 2

                                                    It sounds like you view software as an occupation. It is not. It’s a product.

                                              2. 2

                                                Physlock runs as root and locks the screen at the console level. AFAIK the problems affecting x-server screenlockers aren’t relevant to physlock.

                                      2. 5

                                        Things like this are why I don’t use Linux as a desktop OS. It’s just too unreliable.

                                        1. 2

                                          What do you use instead?

                                          1. 2

                                            Windows 7 mainly. I also have an old computer running Alpine Linux (but without X11 or anything) that I SSH into using PuTTY. I’m playing around with Plan 9 in a VM on that computer as well.

                                          1. 2

                                            I vaguely remember this guy. I think he sabotaged downstream packages with some obnoxious nagware message and drama ensued on Debian mailing list. I can’t take this guy seriously if he is just going to come off as an ass.

                                            1. 33

                                              Debian had fucked up and made an annoying support burden for him, by refusing to ship bugfixes from upstream but also seemingly refusing to hard-fork it and update support information.

                                              I think that jwz is firmly in the right to be annoyed here.

                                              1. 2

                                                The reason why people choose Debian stable is that the software doesn’t change every time upstream comes up with a new version, but when the distro is released. If he doesn’t like that he should explicitly forbid packaging his code, because that’s how distros work .

                                                1. 6

                                                  The whole debate wasn’t (just) about Debian not packaging a more recent version, it was specifically about Debian packaging the old version with the “the version you’re currently running is out of date” message removed. I.e. downstream patched the xscreensaver code to remove the update… alert? It wasn’t really an alert, it just said “This version is very old, please update” on the splash screen, next to the title and copyright.

                                                  I don’t think asking downstream not to patch that out is an unreasonable demand. If they want to package old versions and not update them (which, as a former Debian stable user, I understand 100%) that’s great, but it’s at the very least bad taste to patch out a perfectly harmless piece of code (not a bug!) that only lessens the support burden for the upstream developers.

                                                  1. 2

                                                    Well the message didn’t just ask people to update. It added “If this is the latest version that your distro ships, then your distro is doing you a disservice”, which is trollish at best. Then again the same guy also trolls distros in his configure scripts, and is clearly very successful at that— without all this publicity we wouldn’t be talking about him right now.

                                                    1. 13

                                                      It’s easy to call something trollish when you’re not at the receiving end of emails about bugs you fixed three years ago, which cause you to spend three days chasing a CVE-worthy regression – and then it turns out it’s no regression, someone’s really using a three year-old version.

                                                      Way back when the Stable codename was Potato, it was pretty common knowledge among Debian users that, if you run into a bug, you don’t report it upstream before building the latest version from source. Because e.g. half the protocols Gaim supported didn’t work in the package Debian shipped in stable, as the protocols had long changed. There was a good chance that your bug report wasn’t just out of date, but that it would refer to code that wasn’t even there anymore.

                                                      As Linux (and Debian, and its derivatives) became more popular, that piece of very useful wisdom became less and less common, but lots of folks in the Debian packaging team never quite woke up to that realisation.

                                                      Most of the time this doesn’t blow up in someone’s face, it just silently fizzes out in the form of bug reports from Debian users being silently ignored. In this case, it did.

                                                      Edit: FWIW, I had no idea there was a pop-up message, too (I didn’t use XFCE, I just read about that in the original bug report – I probably read that back then, too, but I certainly forgot about it, hence the “wasn’t really an alert?” part in my previous message, which is obviously wrong :-D).

                                                      1. 2

                                                        I don’t buy that, sorry. The first thing you do when you get a bug report is asking for the version number. If you spend three days investigating a bug without knowing which version of the software the user is running then you’ve got only yourself to blame. Adding a passive aggressive pop up alert like that to your software is crying for attention (and it works well apparently given that I’m still here :D)

                                                        1. 6

                                                          No one is selling you anything to buy.

                                                          Specifically from jwz’s post on the topic he is complaining about being spammed by Debian users.

                                                          And what about “This version of XScreenSaver is very old! Please upgrade!” is passive aggressive?

                                                          1. 2

                                                            I don’t buy that, sorry. The first thing you do when you get a bug report is asking for the version number.

                                                            The first thing most bug report emails start with “I’m using the latest version of and…”. Then it turns out it’s the latest version from Debian stable, so it’s something from three years ago.

                                                            Yes, after a while you end up knowing better than to take their word for it, but it’s not fun. It’s also not fun for everyone else. It’s hard not to sound condescending when you reply and ask them for the EXACT version number.

                                                            Debian makes this particularly difficult because – I know, I like mailing lists & co. too, I sympathise, but! – lots of Debian users have no idea how to report a bug or check on what’s happening with their report. Many of them were born after that reportbug-based thing. So they just write to the program’s author instead.

                                                            (Edit: and FWIW I like reportbug mailing list workflows, and I wish people would use them, but practical experience shows that at this point a lot of them don’t, and don’t see the point of learning it just to report a bug, either.)

                                                        2. 5

                                                          Well the message didn’t just ask people to update. It added “If this is the latest version that your distro ships, then your distro is doing you a disservice”, which is trollish at best.

                                                          No, it didn’t and doesn’t.

                                                          1. 1

                                                            Yes, it did. From the original bug:

                                                            There is a similar warning when opening the “Screensaver” command from the XFCE Applications Menu:

                                                            _("Warning:\n\n"
                                                              "This version of xscreensaver is VERY OLD!\n"
                                                              "Please upgrade!\n"
                                                             "\n"
                                                              "http://www.jwz.org/xscreensaver/\n"
                                                             "\n"
                                                              "(If this is the latest version that your distro ships, then\n"
                                                              "your distro is doing you a disservice. Build from source.)\n"
                                                              ),
                                                            

                                                            See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819703

                                                            1. 1

                                                              I stand corrected. The “your distro is doing you a disservice” message is in the Gtk demo driver.

                                                      2. 5

                                                        the software doesn’t change every time upstream comes up with a new version

                                                        The mistaken assumption in this is that a new version from upstream will change things, or be incompatible. For some software, this is the case. For others: not really.

                                                        It’s this “one size fits all” approach that causes a lot of friction, and also pushes quite a bit of maintenance burden on the community as a whole. It’s not uncommon for projects to work around things just because “Debian still ships with this libfoo version from 3 years ago containing a bug that’s long since been fixed”, or “this libfoo feature is not yet available in Debian and causes a compile error”.

                                                        One of the reasons I like Vim is because it’s really stable, but if I use Debian stable I’ll still be stuck with Vim 8.1.0875 from two years ago, which also causes friction in the community, as people expect all plugins to be compatible with this old version as well. I’ve definitely spent a lot of time on compatibility issues just because of Debian.

                                                        This is an old discussion and we’re never going to agree, but IMO if you want stable software then choose, well, stable software from stable vendors. I’m not a fan of Debian second-guessing the upstream release processes, and while I don’t really care how people use their computers (it’s their computer after all), the friction Debian introduces for the community/ecosystem as a whole as well as the unwillingness to recognizes this leaves me with some amount of dislike of Debian.

                                                    2. 6

                                                      It was about some distros shipping a very old version of xscreensaver, which resulted in lots of users sending him emails about bugs that had already been fixed for years.

                                                      https://www.jwz.org/blog/2016/04/i-would-like-debian-to-stop-shipping-xscreensaver/

                                                      This sounds a lot like one of those posts that started circulating a few years ago about OSS maintainer fatigue. Though jwz certainly added fuel to the fire with his attitude.