On 02/18/2012 12:07 AM, Joanna Rutkowska wrote:
The approach with trusted/untrusted apps is far from an optimal solution
-- just as the world is not black and white, it is also hard to divide
apps strictly into just two categories: trusted and not trusted. It is
even difficult to assign 1-dimnesional levels of trust to apps, such as
in military (confidential, secret, top secret, etc). Consider e.g. the
following security domains: work, personal, banking -- do you really
think there is an ordering trust relation between them? I don't think
so. In fact, the most reasonable solution is that a user wants isolation
between all of them (which is a special case of a tree-like trust relation).
funny, because Qubes implements exactly the 1-dimensional level policy
(per domain) for the isolation which you're opposing here. And your
system is a workaround by nature; it's implementing entirely the
isolation policy in application level, calling heavy-weighted VMs, and
breaking the fundamental concept of desktop which is to integrate
applications, having them interacting each other. Why not make the
isolation, well _selection_, at windowing system's instead?
So, back to the example with clipboard -- what a user typically expects
is that the clipboard allows for (secure) communication between two
_select_ apps, such as e.g. KeepassX and the Firefox in the example
above, and is not allowing any other app to steal the clipboard in the
meantime.
sorry but what's the difference between what you describe here and the
other, to classify clients as trusted or not?
PS: I like nasty ;)
Tiago
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
