I think a big distinction that must be made would be acknowledging the problem, vs a proposed solution. I think, that is where the internal motivations make more of an impact.
Linux devs can agree that there exists a problem while not agreeing on a solution. Perhaps Madaidan has been more criticized because his possibly bad motivations would influence the solution, not just recognition of the problem? As the above poster said, many other security experts have released similar reports, why is this one turning so many more heads than those?
Perspective of a non-security expert by far. I don’t understand everything in the article, but it was relatively well simplified for the common power user I think.
Also, specific question: is his point about sudo insecurity and keylogging mostly mitigated by the better security of Wayland? Is there a better way to secure sudo, or would that significantly reduce usability?
keylogging mostly mitigated by the better security of Wayland?
Yes and no, programs can’t keylog or record the screen of other programs via the wayland interface as they can in X. Wayland (and pipewire) have mechanisms for access control builtin. Thats a good start but it’s pretty useless if you don’t have proper access control / “sandboxing” for the other parts of your system. I remember reading some PoC code for a wayland keylogger that just injected a library (edit: into user programs) and there are probably some other (more creative) ways to do it.
I think a big distinction that must be made would be acknowledging the problem, vs a proposed solution. I think, that is where the internal motivations make more of an impact.
Linux devs can agree that there exists a problem while not agreeing on a solution. Perhaps Madaidan has been more criticized because his possibly bad motivations would influence the solution, not just recognition of the problem? As the above poster said, many other security experts have released similar reports, why is this one turning so many more heads than those?
Perspective of a non-security expert by far. I don’t understand everything in the article, but it was relatively well simplified for the common power user I think.
Also, specific question: is his point about sudo insecurity and keylogging mostly mitigated by the better security of Wayland? Is there a better way to secure sudo, or would that significantly reduce usability?
Yes and no, programs can’t keylog or record the screen of other programs via the wayland interface as they can in X. Wayland (and pipewire) have mechanisms for access control builtin. Thats a good start but it’s pretty useless if you don’t have proper access control / “sandboxing” for the other parts of your system. I remember reading some PoC code for a wayland keylogger that just injected a library (edit: into user programs) and there are probably some other (more creative) ways to do it.