You mean the code doesn't work as *YOU* intended.   I did test it when I wrote
it and it works as I intended, for the case where you xhost
+si:localuser:username, since xhost strips off the si: prefix.   
I don't remember if the /etc/X*.hosts case was ever thought of, and for that 
I apologize since I seem to have so deeply offended you that you've lost all 
sense of politeness.

$ xhost
access control enabled, only authorized clients can connect
SI:localgroup:xuser

$ id ; xvinfo|head -n 1
uid=527(rpmbuild) gid=528(rpmbuild) groups=37(rpm),528(rpmbuild) context=user_u:system_r:unconfined_t
X-Video Extension version 2.2

What was SI:localgroup:xuser supposed to do, then?
I tried to apply common sense, and presumed only xuser group is allowed access.

Anyways, if it now works as intended, what's the use for it, sine
everybody is allowed access in any case?

The point is that if you're rude to people, no-one will want to talk to you at all, let alone spend their free time helping you.  Think about it: if you were at someone's house and he was making you some food, would you be that rude? I hope not, but from the looks of this bug report, the answer is yes.

I am very sorry that I wasted my time by trying to tell about this bug
and I am sorry I made one guy depressed by telling feedback about his code.

To prevent further waste of time, I just stop reporting bugs at freedesktop.org.

Sayonara!

(worksforme... get it?  works for both of us as intended.  for me with my patch, you without.)

It wasn't intended to change the previous behavior of allowing everyone on localhost if no -auth is present, just to allow augmenting xauth easily.
I didn't think anyone had run without -auth in the last decade.

(In reply to comment #4)
> To prevent further waste of time, I just stop reporting bugs at
> freedesktop.org.

Kiitti.