On 12/17/21 12:21, Fabio Valentini wrote:
With the recent updates to use a standalone xwayland package, the
"classic" xorg-x11-server package seems to have fallen into disrepair.
It is multiple versions behind upstream (Fedora has 1.20.11, upstream
has released 1.20.12, 1.20.13, 1.20.14, 21.1.0, 21.1.1, 21.1.2), and
has open CVE issues attached to it.
A BugZilla query for the xorg-x11-server package reveals a worrying
state of things, with bugs not being touched in ages, and the
xgl-maint account that is the "main admin" and bugzilla assignee for
multiple xorg-related packages has a *deactivated BugZilla* account,
so NEEDINFO requests etc. don't work (no idea what else doesn't work,
I suppose maintainers won't get bug emails either, if their bugzilla
account doesn't work ...). Does it count as "non-responsive
maintainer", if the maintainer doesn't have an active BugZilla
I know that Wayland is the default on many Fedora Editions / Spins,
but some of us plebs still rely on X11 / X.org sessions and it would
be great to have the X server package updated. For a
security-sensitive component like the X server, this is a worrying
state of things.
Thank you for pointing this out. I have it on good authority that
an updated pkg for the CVE is being worked on.
Note this does not takeaway that the classic Xorg server packages
could definitely use some love / use some community co-maintainers.