[Discuss] SSH options (was Future of X11 (was Trying to connect to internet in Debian))

[markw at mohawksoft.com (markw at mohawksoft.com)]

> On 1/19/26 5:01 AM, Rich Pieri wrote:
>> The X11 SECURITY extension allows you to mark X11 clients as trusted or
>> untrusted. Development was abandoned in the 1990s because hardly anyone
>> used it, but the code still lives in X.Org. Problem is, clients marked
>> untrusted don't work as expected and often not at all. -Y says "forward
>> X11 SECURITY trust". In practice it marks your X11 clients as trusted
>> which bypasses the extension so that they work correctly.
>
>
> So when I "ssh -X 10.1.2.3" (no "-Y") I'm not getting best "work as
> expected"? I have never used "-Y" and X forwarding has worked well for
> me, so I can live with that.
>
> But am I actually getting any security advantage by adding "-Y"? I
> thought I saw someplace that "-Y" is (nearly?) a no-op.

I never looked too much into the mechanics of "-Y," but if you want to ssh
into a mac and run an xapplication, you need the -Y.
>
>
> Note, I don't run untrusted programs over X, but I also don't want to
> trust all these "trusted" programs. Just because something is in an
> official Debian package doesn't mean we should necessarily trust its
> intentions. And it certainly doesn't mean we should trust its competence
> (and so its relative invulnerability to exploit).
>
> I sure know that since I looked at a little of the sources to Dovecot I
> very much want to get off of it, when I get the chance.
>
> -kb
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.blu.org
> https://lists.blu.org/mailman/listinfo/discuss
>