X Window security. Wandered outside the hack lab to sip a drink and
cool down. There I saw Keith Packard and Bdale Garbee. Quickly introduced
myself to them both, then asked Keith what his take was on the recent OpenBSD
complaints that X11 is insecure by design
[1] [2]. Keith said he wasn't going to respond to those
complaints, because
DRI/DRM
already provides what Theo de Raadt says he wants in the way of kernel control
over dma and register access on video cards. Many X11 video drivers are not
yet converted over to doing things the DRI/DRM way, and so Theo is correct that
X11 has huge security holes. But they are not permanent; the future is already
arriving. Although DRI/DRM is positioned as a 3d technology, it is intended
that even 2d drivers in the future will conform themselves to its API. Keith
also said that OpenBSD's representative on the X11 team is easy to work with
and cooperates well with the team, so there is hope that if OpenBSD turns its
attention to X11 support, everyone will soon benefit from the comprehensive
security audit. Although the DRI/DRM design solves the security problems, it
is a bitch to implement. Mode switching alone is so finicky and is so tied
into both the video hardware and x11 server optimizations, that it has never
successfully been implemented in the kernel. Keith said he supported the idea
of isolating the mode switching code out into a small, privilege separated
userland utility. There were many other things said, which sounded positive,
but without the aid of a tape recorder, I can't remember them.
Putting packages out of main. Learnt a trick today, courtesy of Phil
Hands and Ralph Amissah. If you want to upload a package into a part of the
distribution other than main, you alter the
Section:
field of the
debian/control
file in your package. Suppose your package fits
into the text section, because you use it to process text. Maybe you
reimplemented awk. If you put
Section: text
the package will go
into the text portion of the main repository. If your version of awk depends
on a library that is in the non-free section, you would put it in the contrib
section. So you would put this in your
debian/control
file:
Section: contrib/text
and Bob's your uncle.
Politics. I find myself doing vastly more politics at this conference
than coding, although I am getting some of that done too. When people are deep
inside their own worlds, it takes a lot of work to bridge between the worlds.
So far it seems like time well invested.
Embedded. If anyone needs any embedded work done, Wookey is your guy.
Send him an email with a proposal.
- 2006-05-11 22:00:04 Re: security bug in x86 hardware (thanks to X WIndows)
- 2006-05-13 20:07:35 Re: security bug in x86 hardware (thanks to X WIndows)