On Fri, Dec 16, 2016 at 8:13 AM, Miroslav Rovis <miro.ro...@croatiafidelis.hr> wrote: > On 161216-07:16-0500, Rich Freeman wrote: >> On Fri, Dec 16, 2016 at 5:19 AM, Miroslav Rovis >> <miro.ro...@croatiafidelis.hr> wrote: >> > >> > In my stron opinion, and opinions are allowed in Gentoo, just not >> > imposing your opinion onto others (and that I am not doing, feel free >> > to disagree!), pulseadio is spyware, read more here: >> > >> > Re: [Alsa-user] sans-pulseaudio Firefox? was: a strange thing >> > https://www.mail-archive.com/alsa-user@lists.sourceforge.net/msg31928.html >> > >> >> What exactly about Pulseaudio do you think makes it "spyware?" The > You're right actually. Or might be. It is likely not spyware in itself, > but it surely is spyware enabler. Like dbus and all of poetterware. > > And about xorg. Everybody uses it, I do too. Minimalistically. Just > enough to have, say Firefox and Wireshark, and a good *nix programs that > need gui. But I'd think the possibilities for spying-required remote > connections with xorg are nowhere near to what poetterware and > associates offer. >
I'm not sure I understand what distinction you're making. I can't say I'm intimately familiar with the security model around Pulseaudio (at a glance it seems similar to X11 with its use of cookies, though obviously if you tell it to broadcast unencrypted multicast RTP on your LAN you'll get the obvious effects) but X11 has a couple of glaring security weaknesses. The most obvious is the fact that any random X11 client can read the keyboard input of any other client on the same server unless you jump through a bunch of hoops that I don't think anybody actually jumps through (though I do believe some of the X11 PIN entry programs may use them at least). Anything you type into an xterm could be read by your browser, and in turn by any code able to execute outside any sandbox that browser might have (root privs not needed for this). And I wouldn't be surprised if a lot of X servers still run as root for modesetting/etc. > That's why they came into existance, after all. Uh, somehow I doubt that Lennart wrote Pulseaudio just to simplify the task of getting audio off of a local host so that somebody can spy on you. Maybe it had something to do with the fact that before it came along just doing something like plugging a USB headset into a Linux desktop was a bit of a chore? Well, if you prefer not to use Pulse, that's of course up to you. I wasn't running it for ages, and I probably still wouldn't be running it if I didn't have issues with running multiple desktop sessions as separate users (one of those things that stuff like pulse+policykit and so on was designed to help fix). -- Rich
