Changing the title of the thread again... hard to believe this started out as a discussion about Darktable. On Tue, 2015-09-15 at 11:51 +0200, Alexander Larsson wrote: > No, i have not. Its on my todo list, but honestly its been pushed > down > partially because i have no real idea how this stuff works at all. :/ Me too. I ran into the same trouble working on the sandbox for WebKit: https://bugs.webkit.org/show_bug.cgi?id=143004 I chatted with Alejandro Piñeiro about this today. The at-spi2 socket is a total sandbox escape: it can be used to inspect the accessibility tree of arbitrary applications, send them keyboard input, etc. We can't allow access to it. Also we can't block it, since that breaks a11y. A design change will be required. It should be considered in tandem with the problem of supporting a11y under Wayland, since the design problem there is similar. The basic issue is that Wayland clients have no access to other Wayland clients (except through clipboard and drag-and -drop selections), which is a security feature of the Wayland protocol, but one that breaks much of a11y, gnome-screenshot, etc. a11y needs a way to give privileged applications such access, while limiting the access of unprivileged applications. Michael -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
