5:21 a.m.
Hi all,
With the recent updates to use a standalone xwayland package, the
"classic" xorg-x11-server package seems to have fallen into disrepair.
It is multiple versions behind upstream (Fedora has 1.20.11, upstream
has released 1.20.12, 1.20.13, 1.20.14, 21.1.0, 21.1.1, 21.1.2), and
has open CVE issues attached to it.
A BugZilla query for the xorg-x11-server package reveals a worrying
state of things, with bugs not being touched in ages, and the
xgl-maint account that is the "main admin" and bugzilla assignee for
multiple xorg-related packages has a *deactivated BugZilla* account,
so NEEDINFO requests etc. don't work (no idea what else doesn't work,
I suppose maintainers won't get bug emails either, if their bugzilla
account doesn't work ...). Does it count as "non-responsive
maintainer", if the maintainer doesn't have an active BugZilla
account? :)
I know that Wayland is the default on many Fedora Editions / Spins,
but some of us plebs still rely on X11 / X.org sessions and it would
be great to have the X server package updated. For a
security-sensitive component like the X server, this is a worrying
state of things.
Fabio
6:02 a.m.
*** It is multiple versions behind upstream (Fedora has 1.20.11,
upstream has released 1.20.12, 1.20.13, 1.20.14, 21.1.0, 21.1.1,
21.1.2), and has open CVE issues attached to it. ***
On Fri, 2021-12-17 at 12:21 +0100, Fabio Valentini wrote:
Hi all,
With the recent updates to use a standalone xwayland package, the
"classic" xorg-x11-server package seems to have fallen into disrepair.
It is multiple versions behind upstream (Fedora has 1.20.11, upstream
has released 1.20.12, 1.20.13, 1.20.14, 21.1.0, 21.1.1, 21.1.2), and
has open CVE issues attached to it.
A BugZilla query for the xorg-x11-server package reveals a worrying
state of things, with bugs not being touched in ages, and the
xgl-maint account that is the "main admin" and bugzilla assignee for
multiple xorg-related packages has a *deactivated BugZilla* account,
so NEEDINFO requests etc. don't work (no idea what else doesn't work,
I suppose maintainers won't get bug emails either, if their bugzilla
account doesn't work ...). Does it count as "non-responsive
maintainer", if the maintainer doesn't have an active BugZilla
account? :)
I know that Wayland is the default on many Fedora Editions / Spins,
but some of us plebs still rely on X11 / X.org sessions and it would
be great to have the X server package updated. For a
security-sensitive component like the X server, this is a worrying
state of things.
Fabio
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Sérgio M. B.
8:10 a.m.
Hi Fabio,
On 12/17/21 12:21, Fabio Valentini wrote:
Hi all,
With the recent updates to use a standalone xwayland package, the
"classic" xorg-x11-server package seems to have fallen into disrepair.
It is multiple versions behind upstream (Fedora has 1.20.11, upstream
has released 1.20.12, 1.20.13, 1.20.14, 21.1.0, 21.1.1, 21.1.2), and
has open CVE issues attached to it.
A BugZilla query for the xorg-x11-server package reveals a worrying
state of things, with bugs not being touched in ages, and the
xgl-maint account that is the "main admin" and bugzilla assignee for
multiple xorg-related packages has a *deactivated BugZilla* account,
so NEEDINFO requests etc. don't work (no idea what else doesn't work,
I suppose maintainers won't get bug emails either, if their bugzilla
account doesn't work ...). Does it count as "non-responsive
maintainer", if the maintainer doesn't have an active BugZilla
account? :)
I know that Wayland is the default on many Fedora Editions / Spins,
but some of us plebs still rely on X11 / X.org sessions and it would
be great to have the X server package updated. For a
security-sensitive component like the X server, this is a worrying
state of things.
Thank you for pointing this out. I have it on good authority that
an updated pkg for the CVE is being worked on.
Note this does not takeaway that the classic Xorg server packages
could definitely use some love / use some community co-maintainers.
Regards,
Hans
3:46 p.m.
On Fri, Dec 17 2021 at 03:10:11 PM +0100, Hans de Goede
<hdegoede(a)redhat.com> wrote:
Note this does not takeaway that the classic Xorg server packages
could definitely use some love / use some community co-maintainers.
If xgl-maint isn't going to maintain the packages anymore, orphaning
them is the right thing to do. Then somebody else can pick them up...
or not.
Michael
2:58 p.m.
On Fri, Dec 17, 2021 at 10:46 PM Michael Catanzaro <mcatanzaro(a)gnome.org> wrote:
On Fri, Dec 17 2021 at 03:10:11 PM +0100, Hans de Goede
<hdegoede(a)redhat.com> wrote:
> Note this does not takeaway that the classic Xorg server packages
> could definitely use some love / use some community co-maintainers.
If xgl-maint isn't going to maintain the packages anymore, orphaning
them is the right thing to do. Then somebody else can pick them up...
or not.
I agree. If the xgl-maint user / pseudo-group is no longer active, it
should be removed from the package.
The way it is set up now looks very broken to me, especially with the
disabled bugzilla account for the package owner.
Fabio
851
days inactive
859
days old
4 comments
4 participants
participants (4)
-
Fabio Valentini -
Hans de Goede -
Michael Catanzaro -
Sérgio Basto