> is why would you wait until people are getting hacked to address a known vulnerability?

Do you have some other way of _reliably_ identifying vulnerabilities?

> It makes no sense whatsoever to leave one open just because.

It makes sense to have security options. If I want to leave it fully unlocked, that's my business, and I possibly have good environmental reasons to do this.

What you should really care about are security _defaults_. And in X11's case I'm not aware of any distribution that ships the server with TCP connections to the sever enabled. You have to go well out of your way to even begin using this functionality.

▲

zahlman 4 days ago | parent [-]

> Do you have some other way of _reliably_ identifying vulnerabilities?

This is irrelevant given that we are talking about known vulnerabilities.

No, you can't reliably find all the vulnerabilities by auditing the code.

Yes, if you audit the code and believe you have found a vulnerability, you fairly reliably are correct in your belief. And should probably take action even if you aren't.

	▲	themafia 4 days ago \| parent [-]
		> we are talking about known vulnerabilities. In a context which does not involve them. I simply ignored the subtle goalpost shift and addressed the core issue of the article. > And should probably take action even if you aren't. Where they action could include "disabling as a default option." Yes?