Chris Siebenmann, a UNIX herder at the University of Toronto CS Lab, asserts that the death watch for the X Window System (aka X11) has probably started:
I was recently reading Christian F.K. Schaller's On the Road to Fedora Workstation 31 (via both Fedora Planet and Planet Gnome). In it, Schaller says in one section (about Gnome and their move to fully work on Wayland):
Once we are done with this we expect X.org to go into hard maintenance mode fairly quickly. The reality is that X.org is basically maintained by us and thus once we stop paying attention to it there is unlikely to be any major new releases coming out and there might even be some bitrot setting in over time. We will keep an eye on it as we will want to ensure X.org stays supportable until the end of the RHEL8 lifecycle at a minimum, but let this be a friendly notice for everyone who rely the work we do maintaining the Linux graphics stack, get onto Wayland, that is where the future is.
X11, for all its advantages, also has several incurable design flaws relating to security. However, the major distros have not yet been in any hurry to replace it. Wayland is touted as the next step in graphical interfaces. What are Soylentils thoughts on Wayland or the demise of X11?
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @06:03PM (10 children)
"Secure keyboard" is merely security theater. A keylogger will still be able to steal your keyboard input using XInput and there is nothing you can do to stop it.
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @06:22PM (4 children)
and do not be an idiot in public
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @10:43PM (3 children)
Keylogger malware runs under your account privileges and will not be stopped this way because it has access to xauth information.
(Score: 0) by Anonymous Coward on Friday July 05 2019, @01:15AM (1 child)
And do not blame tools for your idiocy when you do.
Same as you do not try and "secure" your arse from your left or right hand, and instead just refrain from improper use of root vegetables, household tools, lighting implements, small animals and the like: http://www.well.com/~cynsa/newbutt.html [well.com]
BTW, the ways to run suspect software with limited privileges on a GNU/Linux system are many and quite powerful, while none of them involves breaking every thing GUI presently in existence and hobbling everything else. No one prevents you from learning them.
(Score: 0) by Anonymous Coward on Friday July 05 2019, @09:02AM
I don't know what that new butt page is all about, except that I'm not going to go there.
(Score: 0) by Anonymous Coward on Friday July 05 2019, @11:32AM
Anybody serious about keylogging will use a hardware keylogger, intercepting hardware in transit is more likely than you think.
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @08:48PM (2 children)
A person could insert a hardware keylogger between your keyboard and the computer and what would you do about that?
(Score: 1, Interesting) by Anonymous Coward on Friday July 05 2019, @02:45AM
If you negotiate the minefield in the drive
And beat the dogs and cheat the cold electronic eyes
And if you make it past the shotguns in the hall
Dial the combination, open the priesthole
And if I'm in I'll tell you where to stick your hardware.
(Score: 2) by tangomargarine on Saturday July 06 2019, @04:08AM
Understand that virtually all security is circumventable with physical access?
This is a long-standing rule of computer security.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @09:46PM (1 child)
xinput is a debug tool, naturally it will lead to problems.
That said, there are ways to defend against it. But it is a but convoluted right now for casual use, as it involves routing windows through something like xpra.
(Score: 0) by Anonymous Coward on Thursday July 04 2019, @10:49PM
XInput is not a debug tool, it is an X extension providing a generic interface to input devices. It is entirely separate from the core keyboard and mouse API and does not respect keyboard or server grabs, which is what "secure keyboard" features use to pretend they are keeping input only to themselves. XInput keeps accumulating events during the server grab and sends them on to the keylogger once the grab is released. If XInput code were to respect grabs, this last key event leak could be plugged and it would once again be possible to implement the "secure keyboard". XInput developers, however, are not interested in doing that, presumably because they are all working on Wayland first and are assuming that X will die.