Hi Chris, On Sat, Oct 12, 2019 at 07:13:05PM -0000, Chris Lamb wrote: > > Thanks for fixing this and pushing it! Is the final fix also supposed to > > address the case of an attacker plugging in a new USB multitouch device? > > Alas not; I received no input from upstream after repeated pings so I > pushed ahead.
Alright -- too bad. > > If the latter -- should this be pointed out as a known limitation or > > vulnerability of the package? > > Indeed. I did write that here: > > > https://salsa.debian.org/debian/xtrlock/commit/0254c8652b415263bebadbe1413e71b9ec12e741.diff > > ... but I would concede that is not very visible. Sorry I'm not too sure of what you mean, what is it that you wrote about known limitations in <https://salsa.debian.org/debian/xtrlock/commit/0254c8652b415263bebadbe1413e71b9ec12e741.diff>? I see nothing, unless you mean the source code comment? In principle I would think there ought to be some kind of record (besides the discussion on this bug report) that the problem isn't really fixed. But to be honest I don't care too much personally as I'm migrating from X to wayland so phasing out xtrlock on my machines. And it's already great you could push out that fix which addresses most of the concerns. Best, -- Antoine Amarilli
signature.asc
Description: PGP signature
