See here for why: http://docs.hp.com/en/T1471-90011/ch01s02.html#babifija > So can we change the upstream default back to what it used to be? I'd like that, this change essentially breaks X11 forwarding entirely ... if you're connecting to a server where root is untrusted then you're at risk without this change, but the flip side is how many people will know/remember to use the magic -Y switch and how often do you forward X connections from places where root is untrusted? Surely if root on the remote box is a bad guy they could hijack X anyway by taking over whatever app you're forwarding?
