After a discussion on the openbsd irc I am sending this mail, hoping fvwm will be removed from base and repo, or updated.

The fvwm version in base is 2.2.5, which is released somewhere in the late nighties. 
Every installation using X, does have this program installed on the system.

Then in the repo, there is a version 2.4.19, which is also some years old.

The developer of fvwm is telling me that both versions are way to old, full of security issues and 2.2.5 is not even supported anymore in which way ever...

Looking at the news page of fvwm I see a list of security issues and other issues solved in newer versions then 2.4.19:

Security fixes in fvwm-menu-directory. (CVE-2006-5969)
Security fixes in FvwmCommand
Security fix for fvwm-menu-directory. See BugTraq id 9161.
Security patch in fvwm-bug. See http://securitytracker.com/alerts/2004/Jan/1008781.html
Security fixes in fvwm-menu-directory (BugTraq id 9161)
Security fixes in fvwm_make_directory_menu.sh
Security fixes in fvwm_make_browse_menu.sh
Fixed tempfile vulnerabilities in FvwmCommand.
Fixed detection of safe system version of mkstemp.
Security fix in fvwm-menu-directory. (CVE-2006-5969)

The list of other issues (crashing window managers, race conditions, infinite loops etc...) is much longer.

I would suggest to remove all window managers from base except twm. Twm is in all default X installations and could be left in as last resort. When someone needs a window manager, he can install it from repo or ports, but it should not be as now, that a 'left over' which is much to old, full of bugs and unmaintained, can be used on the 'most secure operating system ever'.

I hope someone will lead this issue to the people taking decisions about what should be in and what not, resulting in or updating or removing fvwm.

Thanks,
Jan

Hi there,


Cwm is very good, but there are some bugs in that too. I notice that
if you hide a window so the pointer falls onto the root window and
then try to search for a window (alt+/ if i remember correctly), then
the search menu is not displayed.To make it start working again one

Many people know and love fvwm. I think they may have something to say

Is there anything up with newer versions then? Why should it not be

But no-where as minimal as anything in base. Icewm links imlib, which
would mean importing GPL software into base (big no no). Also it would
make base larger.

I must admit I use a GPL licensed window manager (JWM), but it was my
decision to install it from packages, so it is not a problem.

-- 
Best Regards

Edd

---------------------------------------------------
http://students.dec.bournemouth.ac.uk/ebarrett

i believe license is the issue.

Correct. Newer version of fvwm are GPLed..

-- 
Alas, I am dying beyond my means.
		-- Oscar Wilde, as he sipped champagne on his deathbed

To satisfy my own curiosity, looking at
www.en.wikipedia.org/wiki/Category:Free_X_window_managers which provides
links to 45 window managers for which there are wiki pages, I looked at
the licence for each and found that only xmonad, wmii, fluxbox, and
blackbox are licenced under BSD or MIT license.  

Since I didn't look at the software itself, I don't know if any require
GPL libraries.

Just thought I'd FYI.  I'm not making an argument either/any way.

Doug.

i don't get it.  i can make a magic directory name and... run commands


is this different than Bugtraq id 9161 above?  for that matter, how is

is this different than CVE-2006-5969 above?

If this is a true issue that applies to OBSD rather than a non-issue
because of custom fixes applied by OBSD, the I would suggest that there
be a more configurable wm other than twm in base.  The reason is
simple.  Anything in base has a good security audit done.  Things in
ports/packages don't.  Personally, I use icewm since its quite
light-weight yet configurable to some extent (e.g. menu and taskbar).

Doug.

please, don't touch fvwm 2.2.5... it's just perfect... not in vain
it's the default wm in obsd... Don't touch iiiiiiiiiiiiiiiiiiiiiiiit!