Praise for the security updates

jue-gen · 2024-01-25 08:29:53

It's great that security updates are implemented in Devuan with virtually no delay. For example, I currently got the notifications for thunderbird, firefox-esr, chromium on my smartphone from security@debian.org, go to my Devuan computer and all three get an update. That's nice to see and reassuring.

semil · 2024-01-25 17:43:22

On the other hand, there was yet another set of xorg security updates that we don’t get because it's forked.

jue-gen · 2024-01-26 09:22:24

Yes, that's probably a gap, semil. Although I still have problems with the clipboard, for example, I've only been using Wayland for some time now. It's a stupid situation. Not everything actually works perfectly with Wayland, but with X11 there are apparently security holes that aren't being fixed.

Altoid · 2024-01-26 11:08:09

Hello:

jue-gen wrote:

... but with X11 there are apparently security holes that aren't being fixed.

I would greatly appreciate your being a bit more specific as to which security holes you are referring to.

That said, I am sure you are aware of the difference between aren't being fixed ie: a won't fix label and has not been fixed yet.

The first highly doubtful for a security hole, the second quite possible.

Best,

A.

Last edited by Altoid (2024-01-26 11:08:46)

jue-gen · 2024-01-26 11:31:18

Maybe so, Altoid. I would prefer X11 to be solid and future-proof. As I'm not an expert, I've been reading a lot in forums for years. There, the view that Wayland is more secure is becoming more and more common. For example, because if a window is hijacked, X11 also leaks the data from the other windows to the attacker. Sorry, this is probably not expressed correctly, please bear with me.
But what I'm missing is a really good comparison of the security aspects of X11 and Wayland. I haven't found that anywhere yet. Frankly, I'm looking for some competent confirmation that X11 is at least as secure as Wayland (and furthermore, perhaps: that it has a future). I would appreciate it if someone here could comment on this. I've been using Linux-Debian > Devuan since 2002, but I only work with it, I'm not a programmer or anything like that.

Tell me, Altoid, that X11 in Devuan is at least as secure as Wayland, and I will happily continue to use X11. That would be my favorite thing.

Last edited by jue-gen (2024-01-26 11:50:30)

steve_v · 2024-01-26 12:12:21

if a window is hijacked, X11 also leaks the data from the other windows to the attacker.

That's not a bug, it's a design decision.
X was not developed for personal computers, it's fundamentally a graphical mainframe technology. In that scenario the trust model is inverted WRT a PC - i.e. the network is secure, applications are served from the mainframe and implicitly trusted, the terminal running the xserver is not.

X is as secure as it has ever been and (at least for now) it's still getting patches for any newly discovered issues, but the core design concepts don't transfer particularly well to the age of software-as-an-enemy... Then again, as long as you don't run untrusted applications that might want to screenscrape or keylog you, you're fine.

Last edited by steve_v (2024-01-26 12:16:07)

stopAI · 2024-01-26 12:17:27

On the other hand, there was yet another set of xorg security updates that we don’t get because it's forked.

For security related questions, just check this

https://security-tracker.debian.org/tra … ckage/xorg

Altoid · 2024-01-26 13:27:35

Hello:

... would prefer X11 to be solid and future-proof.

Sure ...
Why not.
Seems to be doing fine. -> see steve_v's excellent explanation above
But ...
What about the security holes you have made reference to?
Please, humour me.

... not an expert ...

Neither am I, like you, just a user with just a few years' experience with MS and Linux under my belt.
ie: not a coder/programmer/maintainer. Can hardly manage to $ ./configure | $ make | # make install once in a blue moon.

... the view that Wayland is more secure is becoming more and more common.

Well, you should know by now that to get to more and more common all you need are enough posts constantly beating that same drum over and over again till it ends up becoming common enough.

Along the same lines and only to illustrate my point: <- no intention of starting a discussion
In the US, the view that Wayland Donald Trump is more secure the best president they ever had is becoming more and more common.

... missing is a really good comparison of the security aspects of X11 and Wayland.

I see.
Lacking that important piece of IT review, it would then seem that ... the view that Wayland is more secure ... does not have much to stand on.
Yes?

... competent confirmation that X11 is at least as secure as Wayland ...

Given the bloat and its provenance, I (very) seriously doubt it.
Of course, YMMV.

Tell me, Altoid, that X11 in Devuan is at least as secure as Wayland ...

Like I said, I am (like you) just a user so I cannot/would not do that.
ie: I lack the needed know-how / training.

What I can tell you is that I have continuously used X11 for a great many years through (in hindsight) far too many distributions and have had no issues with respect to security or anything a well written xorg.conf could not (99% of the time) fix.

As far as I am concerned, the burden of proof is on Wayland and not on X11.
ie: Wayland has to prove to be both better and more secure than X11.

Not the other way around.

Thank you for your input.

Best,

A.

Last edited by Altoid (2024-01-26 15:00:44)

jue-gen · 2024-01-26 15:23:58

Yes, o.k., altoid. When I think about all this, I'm currently coming to the conclusion that I'm actually stupid if I don't continue working with X11. I assumed that Wayland was less bloated than Wayland. At least that's what I've read several times in various forums. I've also read that Wayland is more cleanly programmed and much clearer. I personally cannot verify these statements. What I do know is that I have more problems with Wayland. For example, when I have to fill in long tables from various authorities online, I only have problems with Wayland because the clipboard doesn't work reliably. And here it's pretty stupid if the penultimate number is pasted instead of the last number you copied. If you have to enter several hindered amounts, you simply can't work with Wayland. OK, I'll continue working with X11 for the time being. Many thanks for the input. I'm still interested in the topic and maybe I can read more interesting thoughts in this forum.
Best regards

boughtonp · 2024-01-26 16:02:59

Thunderbird does not depend on systemd. The promptness of its security updates is due to Debian maintainers Carsten Schoenert, Christoph Göhre, and the Debian Security Team.

Firefox does not depend on systemd. The promptness of its security updates is due to Debian maintainer Mike Hommey, the Debian Mozilla Team, and the Debian Security Team.

Chromium does not depend on systemd. The promptness of its security updates is due to Debian maintainers Andres Salomon, Timothy Pearson, the Debian Chromium Team, and the Debian Security Team.

Xorg does not depend on systemd. The promptness of its security updates is due to the Debian X Strike Force, and the Debian Security Team.

None of these packages depend on systemd, none of these packages are forked by Devuan, security for them is not handled by the Devuan team.

This is not a slight on those who maintain Devuan but an attempt to communicate that Devuan is Debian (with systemd removed).

The Devuan Team do important work to maintain init freedom - and absolutely deserve credit for that - but they have nothing to do with how your web browser, mail client, or display server works.

jue-gen · 2024-01-26 17:25:56

Thank you, boughtonp. That was an enlightening explanation, at least for me. Now I understand it better. Yes, "Devuan is Debian".

Addendum:
But when I do an update, it doesn't come from a Debian server. It comes from deb.devuan.org. Do the updates from Devuan come to this repository without delay? That's what makes me happy, everything happens very quickly. How should I imagine that?

Last edited by jue-gen (2024-01-26 18:08:14)

quickfur · 2024-01-26 18:26:03

The Devuan servers, from what I understand, only host a small number of forked packages. The rest of the packages are supplied via a HTTP redirect to the upstream Debian servers. So any updates to non-forked packages would be available at the same time as they become available on the Debian servers.

jue-gen · 2024-01-26 18:30:23

Thank you, quickfur. That must be the case. I've never thought about it before, but I like it.

rolfie · 2024-01-26 19:29:09

Have a look at this article: https://dev1galaxy.org/viewtopic.php?id=3192 - A description how it works.

Last edited by rolfie (2024-01-26 20:21:50)

golinux · 2024-01-26 19:32:11

@rolfie . . . You beat me to it! Well done!!!

jue-gen · 2024-01-26 19:46:10

OK, I'll just keep working with Devuan and trust the people who do it.

pcalvert · 2024-01-27 15:25:36

boughtonp wrote:

Xorg does not depend on systemd. The promptness of its security updates is due to the Debian X Strike Force, and the Debian Security Team.
None of these packages depend on systemd, none of these packages are forked by Devuan, security for them is not handled by the Devuan team.

That is not completely true. The package xserver-xorg-core does not come directly from Debian; it is a Devuan package. Is this true for any other Xorg-related packages? I don't know because I haven't had time to check.

By the way, someone pointed out this fact out a little over a month ago on this forum.

boughtonp · 2024-01-27 16:18:07

Fair enough - I missed that post.

Searching for xorg in the Devuan repos only returns xorg-server - which is the source package for "xserver-xorg-core", aka "Xorg X server - core server".

That's different to the "X.Org X Window System" from the "xorg" package I was referring to, but it is a dependency of it.

Searching the debtree of xorg for "devuan" highlights that xserver-common is also a fork, (unsurprising since it comes from the same xorg-server source package), but the debtree doesn't directly highlight that xserver-xorg-core is itself forked - would be nice if there was some way to have an indication of that.

It also seems the issue in your linked thread has yet to be resolved - based on the versions listed at //pkginfo.devuan.org/xserver-xorg-core and //tracker.debian.org/pkg/xorg-server, there should be a 2:21.1.7-3+deb12u4devuan1 in daedalus-proposed-updates and a 2:21.1.7-3+deb12u5devuan1 in daedalus-security channel.

emanym · 2024-01-27 22:01:42

... but the debtree doesn't directly highlight that xserver-xorg-core is itself forked - would be nice if there was some way to have an indication of that.

(I'm sure it's not recommended practice, but...)

emanym@euterpe:~$ for i in `apt-cache search xserver- | sed -e 's/ .*//'`; do apt-cache show $i | grep Filename ; done

...
Filename: pool/DEBIAN/main/x/xserver-xorg-video-qxl/xserver-xspice_0.1.5+git20200331-3_amd64.deb
Filename: pool/DEVUAN/main/l/lightdm/lightdm_1.26.0-8+devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xorg-server-source_21.1.7-3+deb12u2devuan1_all.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-common_21.1.7-3+deb12u2devuan1_all.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xephyr_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xephyr-dbgsym_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xorg-core_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xorg-core-dbgsym_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xorg-dev_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xorg-legacy_21.1.7-3+deb12u2devuan1_amd64.deb
Filename: pool/DEVUAN/main/x/xorg-server/xserver-xorg-legacy-dbgsym_21.1.7-3+deb12u2devuan1_amd64.deb

boughtonp · 2024-01-28 16:12:54

That's a convoluted and inefficient way to write apt-cache show xserver-\* | grep Filename - and the grep must be ^Filename: to prevent false positives.

It also completely misses what I was saying. I was referring to making the status of forks visible directly in the generated debtree dependency diagram.

The officially official Devuan Forum!

#1 2024-01-25 08:29:53

Praise for the security updates

#2 2024-01-25 17:43:22

Re: Praise for the security updates

#3 2024-01-26 09:22:24

Re: Praise for the security updates

#4 2024-01-26 11:08:09

Re: Praise for the security updates

#5 2024-01-26 11:31:18

Re: Praise for the security updates

#6 2024-01-26 12:12:21

Re: Praise for the security updates

#7 2024-01-26 12:17:27

Re: Praise for the security updates

#8 2024-01-26 13:27:35

Re: Praise for the security updates

#9 2024-01-26 15:23:58

Re: Praise for the security updates

#10 2024-01-26 16:02:59

Re: Praise for the security updates

#11 2024-01-26 17:25:56

Re: Praise for the security updates

#12 2024-01-26 18:26:03

Re: Praise for the security updates

#13 2024-01-26 18:30:23

Re: Praise for the security updates

#14 2024-01-26 19:29:09

Re: Praise for the security updates

#15 2024-01-26 19:32:11

Re: Praise for the security updates

#16 2024-01-26 19:46:10

Re: Praise for the security updates

#17 2024-01-27 15:25:36

Re: Praise for the security updates

#18 2024-01-27 16:18:07

Re: Praise for the security updates

#19 2024-01-27 22:01:42

Re: Praise for the security updates

#20 2024-01-28 16:12:54

Re: Praise for the security updates

Board footer