Boy, did this week's XFree86 security problems in libXfont ever suck. As soon as I had packages available to fix the first issue, the second issue was discovered. As soon as I had packages available to fix the second issue, the third issue was discovered. Quite a patch juggling contest to say the least. Nonetheless, that nightmare is now finally over - for now at least. I'm smart enough though to realize this nightmare isn't totally over yet. There is 350Mb of files in a full XFree86 source code tree, and while not all of it is actual source code, there is lots of code there for people to play with and have fun.

Thank God that most people, black hats included are frightened at X source code and generally wont touch it with a 10 foot pole.

Once all mainstream distributions begin shipping the modularized and autotooled freedesktop.org xlibs packages, the amount of pain which occurs when security issues are found will hopefully subside. The entire source tree really needs a heavy security audit, as well as a general cleanup. There's a lot of cruft there that hasn't been seen by human eyes for over 10 or more years.