On 1/19/26 5:01 AM, Rich Pieri wrote:
The X11 SECURITY extension allows you to mark X11 clients as trusted or untrusted. Development was abandoned in the 1990s because hardly anyone used it, but the code still lives in X.Org. Problem is, clients marked untrusted don't work as expected and often not at all. -Y says "forward X11 SECURITY trust". In practice it marks your X11 clients as trusted which bypasses the extension so that they work correctly.
So when I "ssh -X 10.1.2.3" (no "-Y") I'm not getting best "work as expected"? I have never used "-Y" and X forwarding has worked well for me, so I can live with that.
But am I actually getting any security advantage by adding "-Y"? I thought I saw someplace that "-Y" is (nearly?) a no-op.
Note, I don't run untrusted programs over X, but I also don't want to trust all these "trusted" programs. Just because something is in an official Debian package doesn't mean we should necessarily trust its intentions. And it certainly doesn't mean we should trust its competence (and so its relative invulnerability to exploit).
I sure know that since I looked at a little of the sources to Dovecot I very much want to get off of it, when I get the chance.
-kb _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
