The point is there are half a million lines of code in xorg server which is a basicly death cow that nobody had yet the guts to give him the last honor of a headshot...
so 0.5 million lines of code there are in the xorg mailing list 80 messages in 24 days thats 3 messages per day... the kernel mailing list has around 400 messages per day. so if I take this number I could guess that 130x so much developers involved.
the linux 3.2 kernel had 15 mio lines of code... so you have 15mio / 400 = 37.500 per X devs vs 0.5 / 3 = 166.666 per X devs that means that each xorg developer has to manage 4-5 times the lines of code.
And I guess the messages from non-developers in xorg mailing list is way higher than in the kernel mailing list. So you cant think that the quality of this old peace of software can have the same quality. But at least they fixed that told bugs very fast.
It will become better because at the moment wayland has 1/50 amount of code than xorg has, that factor will change of course when wayland is able to do more... but it will propably never reach 1/1, else this project would be stupid ;)
and btw there were file permissions mentioned isnt that a thing that the distros should make right?
Is there any valid reason that Xorg runs as root?
In reality, people think of new avenues of attack, software environments change, hardware evolves, and you have to adapt your software to stay secure amongst that.
In this case there were a number of factors - a large part was previous X developers simply didn't think much about this attack pattern: in their original design, the X server was the process with ran with higher privileges in order to access the hardware devices, and you had to protect it from attacks by clients trying to exploit those privileges. It was only in later X11 releases that various forms of virtual X server (Xnest, Xvfb, Xvnc, Xephyr, etc.) appeared which could be run without privileges, and thus turned the tables. Unfortunately, until this, no one thought to audit the X client libraries to protect privileged clients from a malicious virtual X server.
Another factor is that a number of these attacks require you to make the client allocate a gig or 2 of RAM to allocate. When I first used X it was on a Sun 3/50 with 4mb of RAM - having a single client allocate more memory than was available if you combined the entire lab of workstations was ludicrous. Now I'm typing this in X on a system with 12gb of RAM, and was able to reproduce quite a few of these issues. Others included assumptions that made sense when your software was 32-bit, that failed to hold up when ints, longs, and pointers aren't all the same size any more.
Even in 2013, when reviewing these, a lot of them were non obvious unless you had the source in one window, the protocol headers in another and the protocol spec in a third. This was tedious work to cross-reference and confirm or refute each report, and even so a number ended up at the point where we weren't sure it was definitely exploitable, but we were sure there are smarter people than us in the world, and if just one of them can figure out an exploit, our users would be screwed, so we had to assume the worst case.
That said, radeon driver is great for amd. The best driver one can get on Linux for all activities, for amd. Yes, dynamic power management is coming, after (3 years?) "soon". They are still not OpenGL4.3, but its not too bad, because they are opensource and become very fast now.
And, finally, intel driver is great for intel. The best driver one can get on Linux for all activities, for intel. Yes, gallium version is coming, after (3 years?) "soon". They are still not performing well due to weak hardware, but its not too bad, because they are opensource too and Haswell is coming now.
Thank You alanc. It seems like you are getting some flack on this thread, but no worries. You are doing exactly the right thing. I clearly don't have the experiebce you have, but I been saying the same thing for a long time. A flaw is a flaw, and an exploit is taking advantage of a flaw. So you don't really look for the exploit, you look for the flaw. But first you have to define what a flaw is.
Hunting for security holes is a very difficult thing to do. Clearly you have the skill and experience to do it well. Keep up the good work.
nerdy girls are sexy like hell ;) (of course not if they look like a horse ^^) but forget about girls for a moment. I programmed several programms most of them I did because I wanted such software for me. I think thats the best reason to make a program.
As example I wrote a kind of console-wrapper that finds youtube links and makes a playlist and puts this playlist in smplayer. A bit like minitube but fixes some problems I had with minitube. As example you can watch videos in other direction so if somebody posts a event with 20 videos in plays in the right direction without moving around 20 videos in the playlist manually.
Thats one example... I never thought 1 Second that I do this program to impress girls. Maybe something is wrong with me, and I should try to impress girls with that... but I am not, and lets say linus has a wife do you think he programms since ages on linux and he startet linux to find his wive?
Ok maybe the reasons to write people are others for most others I dont know. But THE other argument for writing stuff is shure not about girls, its about money, good linux hackers can have big saleries. So if people want their names in linux kernel its because companies scan this logs for people and hire them.
And maybe then, ONLY because they got much money girls like them. So indirectly maybe they have better changes sexualy but I dont think that the first thing they have in mind is to get laid...