[jstarks]

Why does this say (2021) when the last commit was in 2014?

[Jkvngt]

Still works great, too! How long until Wayland developers fix this, another seven years?

[theamk]

Ugh, they cannot fix it because this is not something that wayland can fix at all.

Look, if you have user access to the account, you can get its data. Even if you somehow make Wayland 100% secure, you can still replace “firefox” shortcut with malicious version which also steals all your passwords. No windowing aystem involved at all.

[Jkvngt]

But bleargh, why do Wayland proponents always seem to bring up keyloggers? That’s icky.

[zlynx]

The X11 protocol allows any client connected to the server to become a keylogger or insert input events. So, even a X11 client trapped in a sandbox or another user account has full access.

[dralley]

Because the X11 protocol itself enables every X app to keylog every other app without any "hacks" involved, which is what this is.

It's the difference between having a poor quality lock on your door and having no door at all.

[bitwize]

The X11 protocol doesn't enable this, even if the most widely used X11 implementation does. An implementation could isolate clients by dropping events and returning blank rectangles for GetImage calls.

[cycloptic]

IMO the main problem there is that the UX around dropping events and returning blank rectangles is bad. We have the tools to design other protocols centered around a real security architecture that can communicate intent properly and doesn't need to return fake data.

[theamk]

Do you mean "opponents"? For example, this post is the only post on HN about wayland keyloggers, and it is clearly written by Wayland opponents.