[enriquto]

> The design of Wayland starts with the premise that every application connecting to your display might not be completely trusted,

What a strange premise... Do the wayland people have keylocks on all the rooms, drawers and cupboards on their houses?

Unix programs by default have access to all files in the user home. That's the main point of running programs after all: to edit your files. Letting these programs see all pixels in you screen does not seem that bad, does it?

If for some reason you want to run an untrusted application, use a container. But building your whole house around the "untrusted" premise sounds ridiculous.

[linuxandrew]

> If for some reason you want to run an untrusted application, use a container. But building your whole house around the "untrusted" premise sounds ridiculous.

I guess we should do away with memory protection as well. Filesystem permissions? Bah, they can go too, after all, a computer is generally used by a single person right?

The reality is that many users use untrusted applications that don't have access to home, ergo Flatpak. There are plenty of reasons why the free for all security model for X11 isn't suitable. Besides, that ship has well and truly sailed - most of the X11 devs have been working on Wayland for the better part of a decade now.

[mcpackieh]

> The reality is that many users use untrusted applications that don't have access to home, ergo Flatpak.

I'd like to see this quantified. How many people using flatpack are afraid of their application reading their files, vs using flatpack simply because it's a convenient way to install programs? I don't mean "oh me me!" responses, are there any user surveys to support the premise that average users are afraid of their applications?

Quite frankly I don't believe this level of paranoia is the norm. On Windows and MacOS, applications installed in the normal way can read the files on your desktop. This is the way it as always been on Linux too, with few exceptions. Letting the most paranoid users set the norms is a recipe for irrelevance. How popular is Qubes? It's a pain in the ass.

[E1Q6Y57O]

This is incorrect, apps installed through the macOS App Store have required sandboxing since 2012. Since 2018, Microsoft is also attempting to get developers to sandbox more apps, see more about that here: https://news.ycombinator.com/item?id=36059982

[mcpackieh]

I'm pretty sure you're wrong. Looking over the part where you imply that the MacOS App Store is the standard way to install Applications on MacOS (opposed to dragging the application to the Applications folder), let's look at what the system you're referring to actually does:

https://developer.apple.com/documentation/xcode/configuring-...

Show me where it says a program installed from the MacOS appstore will be unable to read the user's files unless the user explicitly authorizes it. Here's how it actually works as far as I can determine: The application developer grants their app the entitlements to read user files. The user may see that entitlement before installing the application, but thinks nothing of it because of course the program operates on their files. This does not protect the user against a malicious program being shipped with those entitlements and a plausible pretext to justify it. Example: The user downloads a program to read some kind of unusual file for work, the program grants itself access to ~/Downloads because of course it needs that, then the program instead reads ~/Downloads/your-tax-documents

This system only protects the user if the application was legitimate, refrained from granting itself the relevant entitlements, then got compromised by an attacker.

[E1Q6Y57O]

>Looking over the part where you imply that the MacOS App Store is the standard way to install Applications on MacOS

That is the standard way. An app that has its own custom installer or patcher/updater is by definition, using a non-standard install procedure.

But even if it wasn't, it definitely is the standard on Linux, where package managers are the norm.

>The application developer grants their app the entitlements to read user files.

Flatpak works in exactly the same way.

[mongol]

It is not a strange premise. It is the security model that for example Android uses. Unix security model is dated, and it is good that steps are taken in this direction.

[sam_lowry_]

Android is different, it is built to run untrusted apps.

My Linux Desktop runs Chromium, xterm, IntelliJ and occasionally Gimp.

Do I need the Wayland security model? Hardly so.

Am I an outlier among Linux Desktop users? Hardly so.

[E1Q6Y57O]

Are you actually suggesting that most Linux desktop users only use the same 4 programs you do and will never use or install anything else? If that's the case then why bother with a display server or package managers? We can hardcode those 4 programs into the system, have them draw directly to the framebuffer and then we can remove the ability to install any other programs. Sound good to you?

[bzzzt]

The point is to reduce the attack surface, especially for browsers that run untrusted input. You don't want a local exploit in your browser (that hopefully is also configured not to have access to your entire filesystem) to screenshot other apps and websites. Maybe you disable all the warnings in IntelliJ too that prompt you to be careful when opening a new Git project from a remote source?

[sam_lowry_]

Browsers are already sandboxed.