From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.5 Received: by atuin.qyliss.net (Postfix, from userid 496) id 14A9912F34; Sat, 22 May 2021 17:52:27 +0000 (UTC) Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 2781312EF2; Sat, 22 May 2021 17:52:16 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id AE30912EE8; Sat, 22 May 2021 17:52:14 +0000 (UTC) Received: from jax4mhob20.registeredsite.com (jax4mhob20.registeredsite.com [64.69.218.108]) by atuin.qyliss.net (Postfix) with ESMTPS id A1DFF12EE7 for ; Sat, 22 May 2021 17:52:11 +0000 (UTC) Received: from mailpod.hostingplatform.com ([10.30.71.114]) by jax4mhob20.registeredsite.com (8.14.4/8.14.4) with ESMTP id 14MHq8rI118679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Sat, 22 May 2021 13:52:08 -0400 Received: (qmail 39746 invoked by uid 0); 22 May 2021 17:52:08 -0000 X-TCPREMOTEIP: 50.93.248.134 X-Authenticated-UID: josh@joshdubois.com Received: from unknown (HELO ?192.168.1.4?) (josh@joshdubois.com@50.93.248.134) by 0 with ESMTPA; 22 May 2021 17:52:08 -0000 From: Josh DuBois Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: Proxying Wayland for untrusted clients Message-Id: <28F22202-61F4-42F0-B8EC-B0EC6595D003@joshdubois.com> Date: Sat, 22 May 2021 12:52:07 -0500 To: discuss@spectrum-os.org X-Mailer: Apple Mail (2.3608.80.23.2.2) Message-ID-Hash: XLGUTAZO7ZHTNOIIDZ7K7UQCJNMFDXNU X-Message-ID-Hash: XLGUTAZO7ZHTNOIIDZ7K7UQCJNMFDXNU X-MailFrom: josh@joshdubois.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list List-Id: General high-level discussion about Spectrum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On May 22, 2021, at 8:05 AM, Alyssa Ross wrote: >=20 > One of the benefits that Wayland is supposed to have over X11 is > security. A Wayland application isn't supposed to be able to record = the > screen without user permission, for example. But in most compositors, > it can, with no restrictions.=20 >=20 > To solve these problems, I propose a proxy program that sits between > Wayland clients and the compositor, in the same privelege domain as = the > compositor. > If we can do that, it might be sensible for > it to live at freedesktop.org? I'm not sure how that works. I am curious, if you have time, to hear more on why the approach of a = proxy vs picking a compositor and implementing security there. If the problem is that the Wayland community so far has not considered = security a priority, it seems that a security proxy may suffer from = those same forces. Basically, will it be easier to attract developers = or gain widespread adoption of a proxy as opposed to getting buy-in to = do security directly in a compositor? You mention writing in a memory = safe language and having a compositor neutral solution as technical = advantages. Do you think a proxy is a good choice primarily because it can achieve a = better technical result, or is the choice of a new component more a = matter of difficulty getting community buy-in from a popular compositor = and doing security there? How would you weigh the upsides of a new = project against the difficulties of getting a new thing off the ground = and adopted? (This is really just curiosity on my part and my $0.02 from the outside. = You may have already had a lot of discussions about that, or even = already tried talking to compositor folk and not gotten traction. Seems = worth some explicit consideration.)=