From: Josh DuBois <josh@joshdubois.com>
To: discuss@spectrum-os.org
Subject: Re: Proxying Wayland for untrusted clients
Date: Sat, 22 May 2021 12:52:07 -0500 [thread overview]
Message-ID: <28F22202-61F4-42F0-B8EC-B0EC6595D003@joshdubois.com> (raw)
On May 22, 2021, at 8:05 AM, Alyssa Ross <hi@alyssa.is> wrote:
>
> One of the benefits that Wayland is supposed to have over X11 is
> security. A Wayland application isn't supposed to be able to record the
> screen without user permission, for example. But in most compositors,
> it can, with no restrictions.
<snip>
>
> To solve these problems, I propose a proxy program that sits between
> Wayland clients and the compositor, in the same privelege domain as the
> compositor.
<snip>
> If we can do that, it might be sensible for
> it to live at freedesktop.org? I'm not sure how that works.
I am curious, if you have time, to hear more on why the approach of a proxy vs picking a compositor and implementing security there.
If the problem is that the Wayland community so far has not considered security a priority, it seems that a security proxy may suffer from those same forces. Basically, will it be easier to attract developers or gain widespread adoption of a proxy as opposed to getting buy-in to do security directly in a compositor? You mention writing in a memory safe language and having a compositor neutral solution as technical advantages.
Do you think a proxy is a good choice primarily because it can achieve a better technical result, or is the choice of a new component more a matter of difficulty getting community buy-in from a popular compositor and doing security there? How would you weigh the upsides of a new project against the difficulties of getting a new thing off the ground and adopted?
(This is really just curiosity on my part and my $0.02 from the outside. You may have already had a lot of discussions about that, or even already tried talking to compositor folk and not gotten traction. Seems worth some explicit consideration.)
next reply other threads:[~2021-05-22 17:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-22 17:52 Josh DuBois [this message]
2021-05-22 20:05 ` Michael Raskin
-- strict thread matches above, loose matches on Subject: below --
2021-05-22 13:05 Alyssa Ross
2021-05-22 13:45 ` Michael Raskin
2021-05-22 15:08 ` Alyssa Ross
2021-05-22 16:18 ` Michael Raskin
2021-05-22 17:22 ` Alyssa Ross
2021-05-22 18:48 ` Aaron Janse
2021-05-22 20:00 ` Michael Raskin
2021-05-22 17:13 ` Jean-Philippe Ouellet
2021-05-25 11:40 ` Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28F22202-61F4-42F0-B8EC-B0EC6595D003@joshdubois.com \
--to=josh@joshdubois.com \
--cc=discuss@spectrum-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).