Comment by regularfry

4 years ago

> I'm fully on board with the Wayland idea that an application shouldn't know or be able to modify its window position

Why? Genuine question - that sounds like an incredibly opinionated position for the display server to force up the stack, and I don't have a good intuition for why it should be necessary.

15 comments

regularfry

Reply
phkahler  4 years ago

>> Why? Genuine question - that sounds like an incredibly opinionated position for the display server to force up the stack...

The security model in Wayland seems to keep the application largely isolated from its environment. No warping the mouse pointer, no reading pixels, no understanding of what the user might be doing outside the application window. I can agree with all of that in principle. It is not the applications place to move anything on the desktop including itself. Those are to be done by the user. Also for consistency this kind of thing has to be done by the DE.

It was also nonsensical to have have applications be responsible for remembering their own positions instead of the "window manager". Read that again "window manager" ;-)

  • robonerd  4 years ago

    > The security model in Wayland seems to keep the application largely isolated from its environment.

    I really don't see what good that is when considered in the greater context of the Linux desktop paradigm, wherein any application running under your user almost certainly has write access to your entire $HOME, including the ability to tamper with your shell configuration, edit your $PATH, and do all manner of nasty subversive shit. To get any real security benefit from Wayland over X, you'd have to abandon the entire Linux desktop paradigm and use a completely new ecosystem as different from the traditional linux desktop as Android is.

    If you just use Wayland as a drop-in replacement for X (as GNOME/Wayland and KDE/Wayland are essentially doing), you're still screwed six ways to Sunday.

    • ryukafalz  4 years ago

      > I really don't see what good that is when considered in the greater context of the Linux desktop paradigm, wherein any application running under your user almost certainly has write access to your entire $HOME, including the ability to tamper with your shell configuration, edit your $PATH, and do all manner of nasty subversive shit. To get any real security benefit from Wayland over X, you'd have to abandon the entire Linux desktop paradigm and use a completely new ecosystem as different from the traditional linux desktop as Android is.

      It doesn’t require changes as deep as you’re implying (although I would say moving away from the traditional UNIX permissions model would ultimately be a good thing). It can be beneficial with existing application confinement mechanisms like Flatpak. You can restrict a Flatpak app from accessing your $HOME, but if it’s given access to your X server it has a lot more access than it likely needs. My understanding is the situation is better with Wayland, provided you only give it access to the Wayland socket and not the X11 socket.

      4 replies →

    • phkahler  4 years ago

      >> If you just use Wayland as a drop-in replacement for X (as GNOME/Wayland and KDE/Wayland are essentially doing), you're still screwed six ways to Sunday.

      No, you're only screwed 4 or 5 ways. Applications can't screen capture, and they can't monitor the keyboard input to other applications.

      Your points on other security issues are valid, but just because there are 6 different ways a program can dig into your system is no reason not to plug some of those holes. Wayland does that.

      IMHO we need to restrict a bunch of system calls so they can only be used by the GUI toolkit. Then only files selected by the user could be accessed by an application. Of course CLI programs and other cases need permission too, so there is some complexity to work out. But this would allow a random application to use the system installed GUI toolkit and access only what the user specifically says through interactions.

      Better security doesn't have to be hard, but it does require that changes be made.

    • nvrspyx  4 years ago

      > any application running under your user almost certainly has write access to your entire $HOME, including the ability to tamper with your shell configuration, edit your $PATH, and do all manner of nasty subversive shit.

      Not that I'm a fan of it or that knowledgeable about the subject, but isn't this sort of where Flatpak comes in where applications have to be given permission to access some of these?

      I know that Fedora is very clearly moving toward the Silverblue (OSTree) endgame where the underlying system is immutable and Flatpak is the default for user applications on top.

    • kaba0  4 years ago

      Just because the existing situation on Linux is terrible from a security point of view, it doesn’t mean we shouldn’t start fixing it.

      Not being able to install a keylog from an npm package is already a huge improvement.

occamrazor  4 years ago

With multiple monitors, and multiple multi-monito configurations, window position becomes a complicated concept, full of pitfalls and corner cases. It is reasonable (although admittedly not the only possibility solution) to centralize the window position management in the wm.

  • einpoklum  4 years ago

    Your conclusion doesn't follow from your premise.

    What does follow is that apps should have a library available which allows them to express their positioning desires while accounting for the complications and corner cases.

    Even if positioning were centralized, apps should still have been able to tell the WM "This is what I want to happen w.r.t. positioning, try to accommodate me".

    • occamrazor  4 years ago

      I should have explained myself better. The old way of specifying a position (pixel coords in a plane) does not work well for complicated setups. Among the possible alternatives there is:

      1. Assign responsibility to the wm (Wayland’s way)

      2. Create a new way to specify position preference in a complicated world. That’s what you propose, IIUC. It’s possible but complicated, and Wayland had a lot of other problems to worry about, therefore I understand why they didn’t choose this way.

      3.Leave the simple protocol in place, but let the wm override the application’s choice when necessary. I guess a lot of apps would not work properly in such a system.

    • bityard  4 years ago

      Given the choice between the window manager making all of the positioning/size decisions and allowing the app to do it, I'll gladly pick the WM. In the opposite world, sure, most apps will behave sensibly but then occasionally you're going to run into that application where the author says, "hey, my app is so great, you're definitely going to want it full-screen all the time!"

      An exaggeration of course, but I have seen plenty of apps try to do "smart" things about window management on their own, and they always get it wrong. It's one of the reason's KDE WM allows you to to override and make permanent a surprising number of settings.

      (I also believe that websites should not be able to just do whatever the hell they want on my computer, but that battle seems to have been lost.)

olddustytrail  4 years ago

More simply, because I say where the application goes. It absolutely does not get a say in the matter. It's my computer.