Path: csiph.com!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail From: John Ames Newsgroups: comp.os.linux.misc Subject: Re: Artix Linux and Xlibre Date: Fri, 8 Aug 2025 08:49:18 -0700 Organization: A noiseless patient Spider Lines: 38 Message-ID: <20250808084918.00007e14@gmail.com> References: <1063lgp$jmj$2@reader1.panix.com> <1064ag9$1kvkq$1@dont-email.me> <1064m75$1lvr1$1@dont-email.me> <10667je$35rkf$2@dont-email.me> <106bdkb$2s14s$1@dont-email.me> <106bjgj$2t9mq$5@dont-email.me> <106cld0$33q3n$2@dont-email.me> <106l5kp$133ed$3@dont-email.me> <106ohbv$1q0ne$1@dont-email.me> <106s6ae$2irb0$6@dont-email.me> <106thun$2tl20$1@dont-email.me> <20250805120229.00002255@gmail.com> <106ulcf$35j8e$3@dont-email.me> <20250806090124.00005af4@gmail.com> <10716ac$3ok85$4@dont-email.me> <20250807141447.000028d3@gmail.com> <20250807155622.00003411@gmail.com> <1073tqh$empg$7@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Injection-Date: Fri, 08 Aug 2025 15:49:22 +0000 (UTC) Injection-Info: dont-email.me; posting-host="9f381b277bbfb883ed5676d8601e9cf0"; logging-data="798241"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18EEB16PFk7H6JoJQQnlWjDxz3trnZCQUY=" Cancel-Lock: sha1:wU3Jaj1Gan6aGN353eA2xBavPPE= X-Newsreader: Claws Mail 4.3.0 (GTK 3.24.42; x86_64-w64-mingw32) Xref: csiph.com comp.os.linux.misc:70610 On Fri, 8 Aug 2025 04:18:26 -0000 (UTC) Lawrence D'Oliveiro wrote: > > But it's one thing to provide a default behavior for don't-care > > cases and quite another to completely disallow applications from > > specifying or even hinting to the WM about relative positioning ... > >=20 > > As has already been pointed out, though, trying to solve "malware is > > being tricksy and evil" by clapping *all* programs in irons is a > > real "barricading the barn door and hiding punji traps in the > > barnyard after the cows have already gone" mindset. =20 >=20 > If you allow don=E2=80=99t-care cases to apps the user trusts, then all it > needs to bypass the do-care cases is to pretend to be an app that the > user trusts. If that's a possibility, you've got a serious security failure on your hands. But if you *do,* the right thing is to fix the *actual* problem, not to construct some Byzantine set of hypothetical safeguards and tell yourself that the *next* time you have a breach where malicious actors are successfully gaining access to your display server such that they can impersonate legitimate applications in a valid user session, it'll be fine because they can't position or size the window automatically. *Honestly.* It's like dropping your populace in a labyrinth in hopes that that'll keep the minotaur from finding them. > > If evil software is running on the local machine under a valid > > user's session, the safeguards've *already failed* ... =20 >=20 > Not necessarily that it=E2=80=99s actually running *on* there, but that i= t is=20 > accessing that display server. Okay, sure - but again, if you're at the point where The Bad Guys have remote access to your display server and can just pop windows up on J. Random User's session, *you've already been breached.*