51

After reading

Xorg becomes the default display server again

and considering the security risk of xorg, I am wondering why the developers left Wayland. The fact that a few programs do not work on Wayland does not justify such a security risk. Any low permission program will have your password and they can enjoy it.

Does any body know why Wayland or any other alternative could not continue with Ubuntu and why this risk is tolerated?

Improve this question
5
  • 14
    The primary reason for the move to wayland was not security, but a more modern architecture which fixes quite a lot of X11 quirks (i.e. having multiple context menus open at the same time). Security is one advantage, but not the only one and for most people not the most important one. For the switch back see the answer from @forest. When things don't work well yet, you should not replace such an important component. Especially since Ubuntu had a lot of bad experience in the past when they were an early adopter of pulseaudio.
    – allo
    Commented Apr 17, 2018 at 13:33
  • 33
    You seem to believe that 1) that security risk was (relatively) recently discovered 2) that wayland completely fixes it 3) that said security risk is really dangerous 4) that the move away from X was to fix that security risk. I'm afraid all 4 your assumptions are flawed. This has been known for decades, and it is a pretty acceptable flaw. Sure: users that will run/install anything they come across will suffer from it, but smarter users will probably be affected by different issues, since when that flaw can be exploited is already game over.
    – Bakuriu
    Commented Apr 17, 2018 at 18:50
  • 1
    @Bakuriu It is not game over once someone has local access to X11. Because it can be accessed over the network (even if it is not really network transparent), there have been a few instances where attackers could access it over certain browsers in specific circumstances (where it was actually exploited in the wild). Also, someone may have access to X11 but only for an unprivileged user. A smart user will not run programs of different security domains under the same X server.
    – forest
    Commented Apr 18, 2018 at 2:57
  • 1
    @forest I'm not aware of any recent Linux distribution that lets X listen on the network by default; Debian (on which Ubuntu is based) hasn't for maybe two decades. Locally, clients connect to the X server over a Unix socket which demands authentication (see man xauth for details), so other users cannot connect to your X server and grab your keypresses. So under most circumstances, a program that can access your X server to grab keys is already running locally under your user, which is why I believe Bakuriu called that scenario game over. Where does your interpretation differ?
    – marcelm
    Commented Apr 18, 2018 at 22:00
  • @marcelm My memory of this comes from years ago, so it could very well be before unix domain sockets were commonly used for Xorg.
    – forest
    Commented Apr 19, 2018 at 2:20

3 Answers 3

Reset to default
83

They are doing this because the next release is an LTS release, which means stability is the primary concern. Xorg has a good track record of stability, whereas Wayland is still (relatively) new. This decision is not permanent and does not mean Ubuntu has given up on using Wayland, just that it has delayed it. You can also opt to use Wayland instead of Xorg if you would like.

From Ubuntu Insights, the three primary reasons for using Xorg by default are:

  1. Screen sharing in software like WebRTC services, Google Hangouts, Skype, etc works well under Xorg.

  2. Remote Desktop control for example RDP & VNC works well under Xorg.

  3. Recoverability from Shell crashes is less dramatic under Xorg.

You will still be able to use Wayland and it is still pre-installed:

The Wayland session will still be available, pre-installed, for people to use, but for our ‘out of the box’ users the Ubuntu experience needs to be stable and provide the features they have come to expect and use in daily life and Xorg is the best choice here, at least for 18.04 LTS, but for 18.10 we will re-evaluate Wayland as the default.

Improve this answer
10
  • 21
    According to Wikipedia, Wayland was first released 30 September 2008. That's almost ten years ago... :(
    – RonJohn
    Commented Apr 17, 2018 at 13:39
  • 41
    @RonJohn that just shows how difficult such a project is, regardless of how necessary it is for the ecosystem. It takes years to reach trustworthy stability. And by the way Wayland 1.0 was released "only" on 22 October 2012. Wayland for the win!
    – Ramon Snir
    Commented Apr 17, 2018 at 13:47
  • 11
    @RonJohn, X11 was first released in 1987; X386 (the original version of what is now Xorg) was released in 1991. Ten years isn't a lot of time to try to catch up to 27 years of development.
    – Mark
    Commented Apr 17, 2018 at 18:52
  • 6
    That's very nice when a company thinks of users so much, unlike other OS making companies who don't allow their users to choose what they want from software, restricts them to their own "vision", and give no option to choose for themselves. Linux should become more popular and used.
    – Vanity Slug - codidact.com
    Commented Apr 17, 2018 at 18:52
  • 2
    @RonJohn It's decently active. You can git clone git://anongit.freedesktop.org/git/xorg/util/modular to see recent commits for yourself.
    – anon
    Commented Apr 18, 2018 at 1:37
26

@Forest's answer is helpful but I'd like to address the security perspective.

While there is a security risk, it's likely considered an acceptable risk, and possibly a feature, as mentioned in @BenCreasy's comment. It's clearly acceptable enough such that Xorg has been the default display server on many distributions for many years.

The primary concern seems to be that a process running as a user can log all keystrokes entered by the user from other processes, which may include passwords or other secrets. However, with a standard threat model, to get to the point where this could be used, you've already trusted and allowed the program to run as your user. It could do much nastier things than simply log keystrokes. Therefore, while an oversimplification, it's like saying "there's a security vulnerability in the system because running this malicious program gives me a virus".

However, this is not the best model, and is why Wayland attempts to solve the issue.

Improve this answer
3
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Apr 20, 2018 at 10:56
  • @JimmyJames -When you say "It's not the case that ability to capture the information that is already available to a running browser from a script or extension would imply, require, or otherwise be equivalent to being able to being able to modify the system. Access to information is typically easier to gain than control.", do you mean that if a browser plugin is malicious that it extends to the ability to modify the system? If yes, would that not mean that the malicious plugin has the ability to sniff the privileged credentials when a secondary application is run and the command is passed to it
    – Motivated
    Commented Jan 22, 2019 at 6:18
  • @JimmyJames - For example, if i have an terminal emulator running and the command sudo is passed with root credentials, would/can it not result in the credentials being captured to execute other malicious application?
    – Motivated
    Commented Jan 22, 2019 at 6:19
5

I am wondering why the developers left Wayland

At least on some computers some programs do not work properly (or even do not work at all) when using Wayland (while the programs work fine on Xorg):

Bug report #1731102 filed on Canonical's bug reporting site "launchpad.net" even describes that nearly all programs did not work correctly on the user's computer.

(I myself had similar experiences with Wayland however only some programs caused problems.)

Obviously for the developers of Ubuntu it is more important that Ubuntu works correctly on every computer than getting rid of a potential security risk (not knowing if the use of Wayland will introduce new security risks - of course).

the security risk of xorg

The security risk described in your link is also present in Microsoft Windows (up to Windows 7).

So maybe that security risk is not considered to be too critical.

Improve this answer
15
  • 11
    Your personal experience should be more of a comment than an answer, as it does not answer OP's question. It is just a review of Wayland.
    – forest
    Commented Apr 18, 2018 at 6:19
  • 1
    Indeed. While Wayland is also completely unusable on my system, this answer must undergo a pretty big revision to stay on topic
    – pipe
    Commented Apr 18, 2018 at 7:21
  • +1 didn't know that: The security risk described in your link is also present in Microsoft Windows.
    – ar2015
    Commented Apr 18, 2018 at 7:52
  • 1
    This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - From Review
    – LvB
    Commented Apr 18, 2018 at 13:09
  • @LvB I re-worked my complete answer. Could you review the changes? Thanks.
    – Martin Rosenau
    Commented Apr 19, 2018 at 6:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .