[sprash]

All "equivalents" you mention have less functionality than their originals and some only work on specific compositors like wlroots/sway. Like all things Wayland it's a mess with zero benefits for the user.

HTTPS vs HTTP is a false equivalent. HTTP works just fine like before. X11 can be made fully secure (e.g. QubesOS does it) but nobody uses it because there is really no need on a FOSS system where 100% of clients you run are trusted.

[Seirdy]

Qubes devs are in my experience the most vocal X detractors. They had to work around X's inherent lack of isolation by using a Xen mechanism. The equivalent would be putting a wooden chest in a safe to show that wooden chests are secure on their own.

HTTP also doesn't work as well as it did before: Chromium and Firefox have begun rolling out an HTTPS-Only mode that warns when visiting HTTP pages. The landscape has also gotten more hostile: many telecoms have been caught modifying unencrypted traffic. Vodafone was also caught HTTP CSP headers for ad injection.

Firefox devs have expressed interest in removing HTTP-specific logic from FF in the distant future too, with the HTTPS-only mode being the first step. All current browsers have also disabled obsolete TLS/SSL versions, which broke several sites during the initial rollout.

There is no such thing as a trusted client; plenty of FOSS has exploitable vulnerabilities. Rather than "trusted and untrusted" software, the cybersecurity crowd has shifted to thinking in terms of "untrusted and untrusted+malicious".

There's also a reason why software audits typically have their moment of truth during binary analysis, whether or not source code is available: source code is only part of the puzzle. Runtime behavior is influenced by the toolchain behavior, host OS behavior, shared libs, and a ton of other variables that are collectively harder to audit than a black box binary. FOSS' reasons for existing should be primarily related to freedom rather than security. I don't copyleft my work because it improves security, but because it protects users from further infringements upon their freedoms.

I'd suggest chatting up a security researcher or reading some material on modern approaches to exploit mitigations (source availability is not a replacement for exploit mitigation); I could give you some starting points when I wake up if you're interested.

[kaba0]

Thanks, X can be made secure by goddamn running n virtual machines.

Also, this is just patently false: “Like all things Wayland it's a mess with zero benefits for the user.”

[bitwize]

When your solution to "make something secure" is to isolate instances of it in airtight sandboxes, IT IS NOT SECURE.

Theoretically Xorg can be made fully secure: just isolate clients so they can only receive events and bitmap information from windows created on the same client connection. It would be relatively straightforward, if quite involved, to implement.

But nobody wants to implement it because everyone qualified to do so has jumped ship to Wayland. The X architecture is so fatally flawed that the most straightforward way to fix it is to start from scratch, and that's what Wayland is.

X is like global warming: one hundred percent of the people who are in the least wise knowledgeable agree that it is a problem. Unlike global warming, however, that problem has a fix: Wayland.

So just... shut up with the irrelevant bullshit and use Wayland, like all the Linux graphics maintainers and distro maintainers want you to do and have been telling you to do for years now... or find your shit unsupported.

[wing-_-nuts]

>So just... shut up with the irrelevant bullshit and use Wayland

There are still, to this day, tons of features which end consumers rely on that are still unsupported out of the box with wayland. If you're writing a replacement for x, it had damned well better have feature parity with x. Saying 'shut up and switch' is not an argument for switching.

Also, this sort of attitude is precisely why linux never took off on the desktop. Such arrogance.

[md8z]

I don't agree with the GP comment's attitude but if you could mention those features then maybe someone can help you, they probably exist in some form.