WingNews logo WingNews
top | item 46279789

(no title)

GalaxyNova | 2 months ago

> any app on the bus can read all secrets in the store if the store is unlocked

Holy shit. I knew conceptually that this was the case but never really took the time to consider the implications.

Pretty much whenever you unlock your keyring all your secrets are accessible by any software that can connect to the bus... How is this acceptable? Are we just supposed to run everything as Flatpak?

discuss

order

jeroenhd|2 months ago

Funnily enough, my work macOS keychain maimed itself in such a way that I need to recreate it every time I install an OS update. Every time I recreate it, the OS spends a few minutes in a state where every application that needs access to the secrets store requests access through the keychain's password. Incredibly secure!

Turns out, that's every application, every few minutes, many of them multiple times. Applications like having access to things like refresh tokens so they can download your email, or discover passwords for offering autofill for a website.

I'd welcome many improvements to the Linux status quo, but applications not needing to ask before accessing the bus is the only reason it's usable in the first place.

mx7zysuj4xew|2 months ago

It's acceptable because flatpak dbus and all its ilk are too opaque for the average "experienced" user to fully grok. The problems are there, but the situation is so convoluted that it's hard to build a mental model unless you truly understand the overall system architecture

throw_await|2 months ago

keepassxc asks before giving out secrets

XorNot|2 months ago

Most people disable that.

The reality is no one wants to be prompted everytime for a password. They want it to auto fill.

In complaining about this people are setting the boundary at the wrong place, and in proposing solutions assuming user behavior which doesn't exist (they will absolutely click "yes trust random application I'm busy move along now please").

I do not want to be prompted. I do perhaps want grades of secret access but even then thats asking a lot - do you want my SSH keys? Well yeah I probably want to give them to you some app which is automating things over SSH. It's 5 more versions before you get updates to ship them all to Russia or wherever after an author hand over.