Perhaps I'm slightly weird, but I find the "fix" far more worrisome than the original bug.
The original bug was a security bug, plain and simple. Not good, but understandable given the schedules Canonical is working to.
The "fix" does not actually solve the bug; it just hides it, so that it's harder to hit. If this is how security bugs in Mir proper (not just XMir) are going to be treated, then I'm not going to use it - one thing I've seen throughout my career is that if you convert a security bug to a race condition, the black hats just work out how to win the race.
Re: malicious xscreensaver getting your passwd, vs malicious mir-hog getting your passwd
The original bug was a security bug, plain and simple. Not good, but understandable given the schedules Canonical is working to.
The "fix" does not actually solve the bug; it just hides it, so that it's harder to hit. If this is how security bugs in Mir proper (not just XMir) are going to be treated, then I'm not going to use it - one thing I've seen throughout my career is that if you convert a security bug to a race condition, the black hats just work out how to win the race.