After a discussion on the openbsd irc I am sending this mail, hoping fvwm will be removed from base and repo, or updated.
The fvwm version in base is 2.2.5, which is released somewhere in the late nighties. Every installation using X, does have this program installed on the system. Then in the repo, there is a version 2.4.19, which is also some years old. The developer of fvwm is telling me that both versions are way to old, full of security issues and 2.2.5 is not even supported anymore in which way ever... Looking at the news page of fvwm I see a list of security issues and other issues solved in newer versions then 2.4.19: Security fixes in fvwm-menu-directory. (CVE-2006-5969) Security fixes in FvwmCommand Security fix for fvwm-menu-directory. See BugTraq id 9161. Security patch in fvwm-bug. See http://securitytracker.com/alerts/2004/Jan/1008781.html Security fixes in fvwm-menu-directory (BugTraq id 9161) Security fixes in fvwm_make_directory_menu.sh Security fixes in fvwm_make_browse_menu.sh Fixed tempfile vulnerabilities in FvwmCommand. Fixed detection of safe system version of mkstemp. Security fix in fvwm-menu-directory. (CVE-2006-5969) The list of other issues (crashing window managers, race conditions, infinite loops etc...) is much longer. I would suggest to remove all window managers from base except twm. Twm is in all default X installations and could be left in as last resort. When someone needs a window manager, he can install it from repo or ports, but it should not be as now, that a 'left over' which is much to old, full of bugs and unmaintained, can be used on the 'most secure operating system ever'. I hope someone will lead this issue to the people taking decisions about what should be in and what not, resulting in or updating or removing fvwm. Thanks, Jan
