Re: libGL error: No matching fbConfigs or visuals found
Re: libGL error: No matching fbConfigs or visuals found
- Subject: Re: libGL error: No matching fbConfigs or visuals found
- From: Chris Jones <email@hidden>
- Date: Tue, 05 Feb 2019 23:50:59 +0000
> On 5 Feb 2019, at 11:07 pm, James K. Lowden <email@hidden> wrote:
>
> On Tue, 05 Feb 2019 17:00:48 +0000
> Chris Jones <email@hidden> wrote:
>
>> p.s. Just to add some background, the issue here is not specific to
>> MacOS. Indirect GLX is in general being disabled by default in more
>> and more places, for security reasons. Plenty of discussions on the
>> web about it, e.g.
>>
>> <https://www.phoronix.com/scan.php?page=news_item&px=Xorg-IGLX-Potential-Bye-Bye>
>
> I found
>
> https://lwn.net/Articles/625199/
>
> more enlightening.
>
> What a crock.
>
> I understand shipping an OS with mail turned off, to the let the
> administrator configure it before it's exposed to the Internet. I
> don't understand making X mysteriously less useful in the name of
> security.
You are clearly then not thinking like a system admin, for which security does
come higher up the list than utility. More to the point, in a production
environment you should never disregard clear security issues in the name of
just making things a bit more convenient for users.
>
> 10 years ago, we had to switch from
>
> ssh -X
> to
> ssh -Y
>
> for security reasons. "ssh -X" became mysteriously broken, and "ssh
> -Y" was the fix. So we run the same level of security using a different
> option, because that's the only practical solution. Lovely.
>
> Turning off things like indirect GLX by default has the same effect.
> Nothing is made more secure for the user who turns it on. Anyone
> who needs it will find out in a mysterious way: the software stops
> working, weirdly, with no message to enable indirect GLX. The user
> is forced to dig through the X configuration docs -- or show up on
> lists like this one -- to get back to status quo ante.
The point you appear to be missing is the majority of users do not need
indirect glx, so disabling this by default and thus removing the security
issues associated to it, is not an inconvenience. Even if this means for the
small percentage of users that do need it (and if you do, i would anyway argue
you should be looking towards more performant solutions anyway, but thats
another story) this is in my money an acceptable price to pay. The issue is
well documented and not hard to find.
Chris
>
> For my money, none of the exploits cited in the LWN article justify
> inconveniencing a single user. No one runs X under the illusion that
> it's the very model of a modern secure system, and every noted problem
> is directly fixable by introducing guards to verify
> application-provided values. Disabling the feature without fixing the
> software smacks of officious bureaucracy; disabiling the feature after
> fixing the software smacks of incompetent officious bureaucracy.
>
> --jkl
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> X11-users mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden