1 |
-Y still uses an .Xauthority so that isn't a surprise. |
2 |
> MIT-MAGIC-COOKIE security is used by both -X and -Y, which is what |
3 |
> this file is used for. |
4 |
> |
5 |
|
6 |
> The difference between -X and -Y is in providing a layer of security |
7 |
> so that remote clients can't play games like keyboard sniffing with |
8 |
> your local X server. |
9 |
> |
10 |
|
11 |
I had conflated those extra checks with .Xauthority. |
12 |
|
13 |
How would the keyboard sniffing attack work? Since everything over the |
14 |
network is made confidential by ssh, i'm guessing the attack would be by a |
15 |
local user on the ssh client/X server box somehow? |
16 |
|
17 |
|
18 |
Whether this ought to be a default was apparently a debate over a |
19 |
> decade ago, when the USE flag was at least added to make it possible. |
20 |
> I haven't used it in a while though so I can't vouch for whether there |
21 |
> are any issues with -X when the USE flag is enabled to build the |
22 |
> extension. |
23 |
> |
24 |
> https://bugs.gentoo.org/237778 |
25 |
> |
26 |
> |
27 |
I can see gentoo disables xcsecurity by default because upstream does. |
28 |
I'll just stick with -Y then. |
29 |
|
30 |
thanks |