On Tue, 2004-06-08 at 11:21, Stephen Smoogen wrote: > Will the Xsecurity extensions be looked at in the future. Rather than the old XSECURITY extension we're looking at an SELinux-style approach that the NSA guys are working on, essentially changes all the hardcoded XSECURITY checks in the server into callouts to a configurable policy. I think this technology has a way to go; the security checks are frequently at the wrong level of granularity (e.g. a clipboard paste translates into a whole series of X protocol requests - and the security checks are at the level of each individual request, with no context to figure out that we have a paste from app A to app B in format XYZ) It's like security-checking a stack of documents by chopping it into quarter-inch squares and trying to pick which ones can go through ;-) Nonetheless we're thinking about it, and there are some low-hanging fruit things that can be secured. Havoc
