Le 09/04/2018 ? 03:04, Chris Adams a ?crit?:> It's Open Source - patching to remove such a nag is legal and a service > to the users. > > It's a screensaver program - how many updates does it need anyway? If > it is just updates to add more fancy animations, there is zero reason to > demand people upgrade.Here's the exact response I got from the developer after asking for help: "I am not going to go out of my way to help you run security-critical software that is YEARS out of date. In fact, I consider it my responsibility to do exactly the opposite. It's not rocket science: someone on your distro's team just needs to update it ONCE A YEAR. If that is too onerous for them, then I'd prefer that they not distribute my software at all. If you don't like the way XScreenSaver works, then don't run it. I hear GNOME Screensaver is a thing that also exists. See how that works out for you instead." I didn't know a screensaver was that critical. Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
> It's not rocket science: someone on your distro's team just needs to > update it ONCE A YEAR. If that is too onerous for them, then I'd prefer > that they not distribute my software at all.And that just goes to show that he knows not what CentOS is - since clearly he doesn't realise that it is NOT distributed by CentOS at all. I suspect RH don't touch it for this very reason.> > If you don't like the way XScreenSaver works, then don't run it. I hear > GNOME Screensaver is a thing that also exists. See how that works out > for you instead." > > I didn't know a screensaver was that critical. >I tend to go along with Gnome when it comes to screen savers: they serve no purpose what so ever other than eye candy. Don't bother with them. Just configure Gnome to lock the session and blank the screen so the monitor turns off. If your corporate masters require uplifting messages to be shown on all the screens, then require them to provide you with the resources to sort out the software. P.
On 09/04/2018 07:47, Nicolas Kovacs wrote:> I didn't know a screensaver was that critical.It's critical in that XScreenSaver deals with locking the screen/dealing with passwords. I believe the fancy animation bits are separate.
On 9 April 2018 at 04:47, Tom Grace <lists-in at deathbycomputers.co.uk> wrote:> On 09/04/2018 07:47, Nicolas Kovacs wrote: >> I didn't know a screensaver was that critical. > > It's critical in that XScreenSaver deals with locking the screen/dealing > with passwords. I believe the fancy animation bits are separate. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosxscreensaver is security critical for the following reasons: 1. Several of the screensavers take user input which may not be the main user. If the software has a security problem. those plugins could overwrite the users data. 2. If the user is expecting that the xscreensaver is locking out a user and it does not then that is security related 3. The way X works is that every X application can listen to all mouse and keyboard actions. This also has a security context. For many sites, any of these make Xscreensaver into a high security item. It makes perfect sense from jwz's point of view because several times something 'simple' in an xscreensaver code has turned into a meltdown somewhere. And the fact that people email him before emailing the EPEL maintainer or opening a bugzilla about it says his time is better served saying "not my problem mate." -- Stephen J Smoogen.