[Bug 2606] Can't build without XC-SECURITY

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Mar 2 00:08:52 PST 2005


Please do not reply to this email: if you want to comment on the bug, go to    
       
the URL shown below and enter yourcomments there.     
   
https://bugs.freedesktop.org/show_bug.cgi?id=2606          
     




------- Additional Comments From ajax at nwnk.net  2005-03-02 00:08 -------
(In reply to comment #2)
> I think the patch is bad for two reasons:
> 1. Disabling the SECURITY extension will break "xauth", almost every ssh
> implementaion under the moon (except OpenSSH which may surive this condition,
> ssh.com's ssh doesn't handle that case), the XC-APPGROUP extension (see [2]) and
> a couple of other things...

xauth only needs the Security extension for the 'generate' command, which is not
used in the default startx, and which anyway only makes sense in the context of
the server supporting the Security extension in the first place. 
BuildXCSecurity does not prevent xauth from supporting this command; it only
means the built server will not support it.  so it does not break xauth.

openssh's Security integration has made a lot of people unhappy and is generally
regarded as a bad move.  it silently changed the semantics of the -X option
which breaks most modern apps.  as far as i can tell ssh generates
MIT-MAGIC-COOKIE-1 tokens using its own internal PRNG so it wouldn't use the
xauth generate command in any case.  (this appears to be the way ssh behaves
back to the 1.2.27 branchpoint for openssh from Tatu Ylonen's original release;
i would be surprised if ssh.com's implementation behaved differently.)  the
point is, 'ssh -X' is broken anyway, disabling the Security extension in the
server does not change that.

it should be noted that openssh's X11 handling is done entirely without
including any X11 headers or linking against any X11 libraries.

not supporting the Security extension in the server is clearly not fatal, since
kdrive doesn't support it and works just fine with xauth and ssh.

> 2. AFAIK the XC-APPGROUP extension needs the SECURITY extension to provide
> "tags" for display connections - and right now the only implemented way to make
> such tags  is to generate a MIT-MAGIC-COOKIE-1 which marks all applications
> which use that cookie with the "tag" (kaleb may correct me if I am wrong...). 

if this is true, then build-time logic is required to do one of two things:

a) if BuildAppgroup && !BuildXCSecurity, turn BuildXCSecurity on
b) if BuildAppgroup && !BuildXCSecurity, turn BuildAppgroup off

either one, i'm not picky.

my reading of the appgroup code is that the Security extension is used to find
an authId on client state change (and then do something magic with it when the
Security extension exists), but that client state change notification only
matters if the server supports Security anyway.  so i don't know that this patch
necessarily breaks XC-APPGROUP.  i'll defer to expert opinion though.          
     
     
--           
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email         
     
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


More information about the xorg-bugzilla-noise mailing list