>>108962770
Good that XLibre is actively developed and fixes things fast.
Wayland cucks with their Xwayland will get fucked.

>>108962775
Remind me again how many security vulnerabilities have been discovered in Wayland?
I'll wait.

There's something wrong with Xorg and XLibre when "mature" 22 year old software is still getting serious security vulnerabilities found in it.

How do we fix it? Is the only solution to abandon it for Phoenix?

>>108962770
How many of them have PoC published?

>>108962815
All of the ones listed in OP.
They are XWayland security vulnerabilities.
And then you have hundreds of volunerabilities additionally to those, who are part of the various Compositors, who all implement the same thing differently.

Wayland is horrible for security.

>>108963034
XWayland is not Wayland.

>>108963043
Yes, it is, wayland is dysfunctional without it.
Security vulnerabilities in Walyand include:
>every single vulnerability in any wayland compositor out there (there wouldn't be a thousand implementations of the same thing without waylands idiotic architecture)
>every single vulnerabilities in XWayland (wayland is usable without it and it is maintained by walyand adjacent devlopers)
>any vulnerability of any technology needed to cover shortcomings of wayland, like xdg-desktop-portals (because without wayland, they wouldn't exist)
With wayland, you have a 100 times larger attack surface. Every single thing that you have thanks to wayland, that you wouldn't have without it, counts.

>>108963062
>waylanf is dysfunctional without it
xlsclients has no output, what do you mean?

>>108963062
>Yes, it is, wayland is dysfunctional without it.
In what way? XWayland is only needed for legacy applications. Some compositors nowadays don't even include the support built-in to them and make you use something like XWayland Satellite if you need that.

If you only use modern applications (GTK3/GTK4/Qt5/Qt6/Electron/etc) then there is no need for any compatibility layer.

>>108963071
>>108963068
Something that is part in every single wayland desktop, because wayland wouldn't work without it, counts as vulnerability in wayland.
>in theory i could run without XWayland if i never do more than writing text into a default text editor
is like saying
>in theory i don't need a display server at all, i can just use vi on the TTY

Reminder that EVERY. SINGLE. BUG in mutter, that wouldn't be a bug without Waylands brainfucking retarded insecure architecture, IS a bug in Wayland. They are bugs caused by the systematic shortcomings of Wayland.
https://www.reddit.com/r/Fedora/comments/1kzyr9l/warning_critical_bug_in_gnomes_mutter_483_breaks/
> WARNING: Critical bug in GNOME's Mutter 48.3 breaks your desktop. Fix inside!
Like this is a Wayland bug.

>>108963090
No, that is not a Wayland bug, it is a bug in Mutter. It doesn't affect KWin, it doesn't affect Sway, it doesn't affect Hyprland, it doesn't affect anything but Mutter (and maybe compositors derived from Mutter like Cinnamon's highly experimental Muffin compositor)

>>108963090
I use niri without xwayland though
I don't play vidya

>>108963098
>>108963104
Here another Bug that wouldn't exist without Wayland:
https://gitlab.gnome.org/GNOME/gnome-shell/-/work_items/7688
>the portal helper currently loads untrusted web content without user input. An active network attacker can force the portal helper to launch

It is unreal how many bugs we nowadays are exposed to, because thanks to the incompetent idiots, who should be executed in public by hanging, we now have a thousand implementations of basic bullshit that should just be one.

>>108963116
>we now have a thousand implementations of basic bullshit that should just be one.
So in your mind it's better for everyone's desktops to be vulnerable rather than one single specific desktop being vulnerable?

Do you by any chance work for the FBI or NSA?

>>108963116
I don't use gnome

>>108963098
Wayland is a protocol.
A protocol that requires a hundred different implementations, rather than simply having a common one.
Every single bug in any implementation of Wayland is a Bug thanks to Wayland that wouldn't exist without Wayland.

RedHat employees may argue in front of a court that it is not directly caused by them and shift responsibilities.
But in practice, we are less secure nowadays thanks to Wayland.
That is what sticks. That is a fact. That is the consequence for the user.

>>108963136
How exactly are you less secure now that security vulnerabilities caused by braindead GNOME development no longer affect you if you don't use their desktop?

Under a monolithic model like the Xorg Server every single bug in the server affects everyone.

>>108963123
>>108963125
Here another vulnerability that wouldn't exist without Wayland:
https://access.redhat.com/security/cve/cve-2026-40354

There are security vulnerabilities, that wouldn't exist without wayland, discovered almost every single day. You just don't make a thread about it and RedHat silently fills their paperwork and doesn't make a fuzz.

>>108963145
XDG Desktop Portal is used on X11 too. That's not a Wayland bug.

>>108963144
>How exactly are you less secure now
Increased attack surface.
>vulnerability in wayland compositor xzy
>vulnerability in XWayland
>vulnerability in desktop portals
all of that garbage you now have to deal with

>>108963154
Except you explicitly DON'T have to deal with it. How does a vulnerability in GNOME affect you exactly if you're not using GNOME?

Compare that to a vulnerability in Xorg that affects absolutely everyone using it.
How do you not understand this one simple fact?

>>108963152
You do not need an xdg-desktop-portal to offer basic functionality with xorg.
Most portals exist specifically to offer functionalities that wayland lacks without it.

Ask yourself: "Would i be exposed to this bug without Wayland?"
If the answer is No, then it is a Wayland bug.
Then ask yourself: "If we would have something else than Wayland, which has a better architecture, would i still have that bug?"
If the answer is Yes, then it is a Wayland bug.
Then ask yourself: "Would a change of Wayland, or a common implementation, potentially solve this bug?"
If the answer is Yes, then it is a Wayland bug.

>>108963171
XDG Desktop Portal is there to offer sandboxing to applications (specifically Flatpaks and Snaps, although it can be used standalone too). You would still need something like it on X11.

>>108963162
I could also not run a display server at all and only use the tty.

What matters is the ACTUAL desktop that people use to have the basic functionality they need.
Your imaginary wayland-compositor-only desktop without xwayland and without desktop-portals and without all the non-standard protocols like fractional scaling and without pipewire... doesn't matter.... because that is not what anyone would ever use.
What matters is what people have to use thanks to wayland or thanks to the shortcomings of wayland.

Bug in XWayland is a Wayland bug.
Bug in desktop-portal is a Wayland bug.
Bug in a Wayland compositors is a Wayland bug.
Bug in pipewire is a Wayland bug.

Wayland is less secure. It is a security nightmare. And there WILL be a common replacement in the future.
Maybe KWin will one day be so good that everybody adopts it rather than to make their own? Just how X11 became the defacto xorg standard. And then they will add stuff into KWin to replace insecure addons like portals. Who knows?
But fact is, that the current state is unsustainable and insecure.

>>108963184
That's what it got created for originally.
Just how Wayland was supposed to be for Kiosks only originally.

You just point out yet another security nightmare of the Walyand world: None of those technologies actually got created with the use case in mind, that you want to use it for.

>>108963145
I don't use flatpak
You haven't shown a single bug that impacts my wayland setup yet

>>108963208
Did you even read the CVE you linked? It's not even anything to do with Wayland. It's a bug in the sandboxing allowing symlink traversal when it shouldn't do. Not a Wayland bug, clearly a sandbox bug in this tool that you say is not for sandboxing (yet that's what it does).

>>108963225
>but but that plethora of Bugs and vulnerabilities in Wayland components doesn't affect me! I won't tell you what i use, though :)
Tell us what wayland compositor you use and every single component you use to offer functionality that wayland misses and we can tell you.

>>108963251
I already said niri lil bro

>>108963260
what niri, you fucking nigger, thats only a compositor, what xdg-desktop-portals do you have installed, or otherwise: What file-selection-dialogs do you interact with, because all of them are wayland components now who function fundamentally different because of it. What graphic toolkits do you have installed? Because they implement wayland as well.

You need to tell us your whole Wayland stack that you have thanks to Wayland, that you wouldn't have without wayland.

>>108963226
You're arguing with a gorillanigger. He thinks that GNOME/Mutter is wayland (according to the links he posted and didn't read).
>>108963251
>Tell us what wayland compositor you use and every single component you use to offer functionality that wayland misses and we can tell you.
>us
Shalom mossad

>>108963277
>bugs in wayland compositors dont count as wayland bugs, teeheee
You are just running away at this point.
Whenever one of the malicious wayland idiots gets into an argument and has to defend his insecure bullshit, he runs away with an "BUT BUT WAYLAND IS JUST A PROTOCOL, A PROTOCOL CANT HAVE BUGS"

Do you see a single person saying that xorg is just a protocol and that x11 is just an implementation of it, therefor x11 bugs aren't xorg bugs?
No you don't.
It is only YOU who makes that idiotic bumfuck retarded argument.

>>108963291
kde on xorg has bugs, are those xorg bugs?

Wayland won. I can't believe there are still x trannies seething at a superior system.

>>108963293
If KWin would have to implement its own xserver, then yes.

>>108963291
>>Do you see a single person saying that xorg is just a protocol and that x11 is just an implementation of it, therefor x11 bugs aren't xorg bugs?
>No you don't.
>It is only YOU who makes that idiotic bumfuck retarded argument.
You're half way there, come on you can connect the dots in your brain, I believe in you.

>There are no protocol bugs only implementation bugs
>Under X11 all implementation bugs affect everyone equally and everyone gets pwned as you're all using a single implementation
>Under Wayland you are only affected by implementation bugs in the particular Wayland compositor implementation you're using

>>108963305
don't project your insecure behavior on me, cuckold

>>108963305
You don't understand, we should all have one browser (Chrome) and one OS (Windows). We should not have multiple implementations.

>>108963309
And you blew it. For a second there you were so close to displaying some form of intelligence.

>>108963291
>Xtard claims wayland is insecure
https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html

>>108963104
>niri
isn't this the Rust written wayland compositor that somehow managed to create a buffer underflow vulnerability?

>>108963327
idk i just see something on glib

>>108963327
It also randomly crashes and when it crashes, it brings down the whole session and everything run on it.

A well-known security issue of most wayland compositors. I think only KWin fixed this yet.

>>108963349
You have the exact same issue on Xorg though and there is no fix.

The one thing it does have going for it is that window management is separate though so the window manager can survive crashes. You cannot survive an Xorg Server crash though.

On Wayland, the River compositor is trying to replicate the Xorg behaviour and split out window management from the server.

>>108963360
>You have the exact same issue on Xorg though and there is no fix.
Either xorg doesn't have this issue or xorg is so incredibly stable that i never witnessed it. I had the xorg nvidia driver crash on me and the season would recover.
Would KWin could crash under xorg and it would only be a blank screen or half a second and then everything would be back with all applications still there.

But maybe it worked with xorg, because the xserver and compositor are two separate components?
In which case the architecture of xorg itself is more secure than what we have under Walyand.

It's again about attack surface. If you have one bloated compositor doing everything... you will have a very bad time when that component crashes.

>>108963376
>>But maybe it worked with xorg, because the xserver and compositor are two separate components?
>In which case the architecture of xorg itself is more secure than what we have under Walyand.
Yes, but the server is not completely invulnerable it's important to recognise that.

What KWin (and only KWin, you're right there) has right now is actually better. You can literally force kill the entire compositor and it can be restarted. This is only possible as Wayland keeps less global state in the server. This would never be possible under Xorg as there's simply too much server side state.

>>108963349
I have never had Niri crash

>>108963349
literally any part of the Linux stack crashing takes out your session.
AMDGPU? trip to restart button or display manager
X.org? trip to displaymanager or VT
Wayland? same fucking shit.

>Wayland sessions support HDR, X11 sessions dont.
>Wayland sessions support multi-display VRR, X11 sessions dont.
>Wayland sessions support mixed refresh, X11 sessions don't
>Wayland sessions support fractional scaling, X11 sessions dont
>Wayland sessions have had the same response time as other vsynced desktop dessions for the past 3 years
Wayland allows me to use my semi-modern hardware as intended. X11 gimps my machine.

>>108963436
I'm the Niri guy but X11 does fine with mixed refresh if they are multiples of each other, and it was mostly GTK not having fractional scaling on X11. Works perfectly fine on QT.

>>108963447
No it doesnt. If you have 120hz and 60hz the 120hz will still stutter if you have content on both displays as it will drop the frame on the 120hz screen and wait for the next cycle.
Also super sampling content and scaling it down by a non-integer isn't proper fractional scaling.

>>108963436
>Wayland sessions support [think that Wayland sessions don't support]
why are you lying?

>>108963436
The only one to decently support all of this is KWin.
That's it. None of the others. And only if you use qt applications as well.
If we drop all of the other wayland trash and consolidate on everyone using KWin, then Wayland could be good.

>>108963494
Mutter has support for these also, and other WMs.
No X11 sessions support those basic features.
>>108963483
Prove I'm lying. You can't. You're coping. Absolutely gaped lol.

>>108963501
Nta but burden of proof is on you.
Ive never heard your claims before so if you dont mind proving any of them.

>>108963501
we are currently about to get another fractional scale protocol because the previous one doesn't work properly
https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/499
GTK still messes up fractional scaling v1 and is still getting fixes
https://www.phoronix.com/news/GTK-Snapping
VRR under mutter is experimental.
And so on....

The only good wayland experience, when you need some of the features you listed, is qt applications under KWin. Everything else is unstable trash.

>>108963521
>we are currently about to get another fractional scale protocol because the previous one doesn't work properly
>https://gitlab.freedesktop.org/wayland/wayland-protocols/-/merge_requests/499
Also note how this comes from KWin developers.
It is always KWin. They do the good stuff and everybody else has to be dragged along with force. A Gnome dev needed to get banned from freedesktop to stop the constant blocking.

If you want Wayland to prosper, you don't want Wayland, you want KWin.
The world would be so much better if we would remove everyone else from freedesktop and just have KWin developers do their thing. Imagine how much better stuff would be if they wouldn't be held back by all those idiots.
Wayland needs to die, KWin needs to replace it.

>>108962770
Don't care, I use wayland and 99.9% of memory bugs are nearly impossible to exploit in practice in the real world.

And Xorg is actively sabotaged by its maintainers. Like they keep the software hostage on purpose.

>>108963574
>And Xorg is actively sabotaged by its maintainers. Like they keep the software hostage on purpose.
just move to XLibre

>>108963574
>impossible to exploit in practice in the real world
Delusional.

It's funny to see troonix users lose their last "Linux is more secure" cope.

>>108963611
post a single POC

>>108963062
don't forget about the dbus and the kikewire vulnerabilities either
both components are de facto mandatory for all gayland implementations

>>108963360
>You cannot survive an Xorg Server crash though.
xorg has never actually crashed on me. window managers, compositors and shells have, but those can be restarted without much pain and without data loss.
literally impossible on gayland because its shitty by design

>>108963403
intel hd graphics master race, literally never crashed on me :)

>>108963324
>qubes
glowie tranny opinion disregarded

>>108963116
>we nowadays are exposed to
Sus

>>108963521
>The only good wayland experience, when you need some of the features you listed, is qt applications under KWin.
*krashes*
>Everything else is unstable trash.
gayland is trash

>>108963547
both gayland and kwin along with it will die
sonic_win on xlibre will take their place

>>108962815
Most of these vulnerabilities dont apply to xlibre since xlibre rewrote the protocol parsing code

>>108964294
>rewriting a finished software
Ew, let me guess, they're turning it into AIslop? Hard pass

Expect X.org server to suddenly get Windows 7'd soon and all bugs will be responded to with as "install Wayland".

>>108964861
I haven't seen any AI commits in xlibre

>>108963298
bot post

>>108964861
They didn't "rewrite finished software". The Xorg server manually handles the protocol with calculating size of buffers and then inserting data with pointers, which is pretty much the reason for all vulnerabilities. Xlibre simply changed it to write to a buffer that automatically calculates the size and inserts the data so its removes the possibility of writing out of buffer.
X11 client side with xcb also automatically handles the protocol parsing, so why shouldn't the server?

>>108965019
as much as red hat wants to play microshart, they can't do that because Xorg has already been forked and you can install it right now in most distros.

>>108963788
>xorg has never actually crashed on me
I guess you've never had the joys of dealing with buggy drivers then. It's actually worse under Xorg as the driver model is such that everything is running in the main Xorg Server process so even a buggy fucking mouse driver can cause the entire server to hang or crash.

File: 1779422545056769.jpg (14 KB, 670x670)

14 KB JPG

>>108962770
I use x apps over ssh all the time at work.
I started looking into virtual x in a window style solutions.

>>108963611
windows has more viruses

being able to take screenshots is a security vulnerability according to stinky feetfags

i'm not using compositing
bye!

>>108962770
Every single "AI security vulnerability" so far has been proven to be made up hallucinations.

>>108966431
That's an extreme level of cope. A "Use after free" is a "Use after free", anyone can verify if that's real or not. If you're not using the pointer after you freed it then it's the product of a hallucination.

>>108966456
Yes, but a use after free is not necessarily a security vulnerability either, so there are these two components here. First, was there even a use after free at all. In many cases that isn't actually true, just a hallucination. Second, if there is one, can this be exploited. So far there hasn't been a case where this was the case, the AI just made shit up and the human that reviewed and handpicked that one vuln from the list of 10000 the AI shat out was just too tired after going through the list to make sure it was actually real before hitting approve.

>>108965659
see >>108963800
I don't do anything that needs more.

>>108965659
I have used linux since 2006 as my only OS, and I also never encountered something like that.

>>108962775
Xtroons are so delusional lmao

>>108968888 (wasted on a melty)

>>108968893
Get quad truth nuked xtranny

>>108962770
DISCOVER THIS

*BRAAAAAAAAAAAPPPPPAPPppPPpppPppppPppPPPpppppp..---......*

>>108962815
>Remind me again how many security vulnerabilities have been discovered in Wayland?
I think hyprland had one years ago
It's really not surprising it's not that affected by this since Wayland as a specification does not do much.
You'd actually be more likely to find issues in portal implementations
There's also a possibility of a painpoint in the lock screen implementations.

X11 has a few issues in spec that are not exactly vulnerabilities, Xorg has vulnerabilities because it's a huge suite of software with its own driver implementation.

>>108965030
Yet
>>108965061
I don't give a shit frankly, I already don't trust a meme project lead by a retarded nocoder but the moment you told me they're rewriting Xorg for no good reason just validates my choice to stick to the original