> And if there's a security problem with something isn't hacking around with it because people need it a really strong indication that the idea is broken and probably making the situation worse?
If there’s a security problem and people are hacking around it, that’s an indication that the either those people have bad needs, or that the security model is flawed — but it’s not an indication that it’s wrong to attempt to secure that resource in the first place.
If a janitor needs the nuclear-missile launch codes to clean the missile silo, you’ve probably fucked something up — but that “something” isn’t the fact that the missile silo doors are code-locked. (Instead, it’s probably 1. the fact that you’re using the same credentials for physical missile access as you are for missile launch, and 2. the fact that your regular janitor is expected to clean the missile silo.)
In this case, the security model of Wayland is the same kind that Windows and Android already have: preventing “low-integrity” apps from screen-scraping “high-integrity” apps. In other words, preventing a random webpage running in Chrome from stealing your credit card details sitting visibly in a sibling text-editor window.
(Or, of course, preventing you from Twitch-streaming your playback of DRMed Netflix video. That’s a use-case that “needs supporting” too, given that the alternative is that type of video not playing back on the platform at all.)
I guess my question is: Why shouldn't "take a screenshot, either of a window, the whole screen, or a portion of the screen" be something that Wayland itself be expected to handle?
I mean, if you're worried about security of apps from other apps, don't make it something in the apps' domain. Only allow Wayland to take the screenshots, but support that, make it easy, and you won't need to worry about either the security model or users complaining.
I mean, this is the way other OSes do it...to the best of my knowledge (which is certainly not comprehensive) neither Windows nor macOS allow arbitrary apps to screenshot arbitrary portions of the screen; that's handled by the OS itself.
I think that (the compositor doing the screenshotting) is already the way it works. But "screenshots" (i.e. fed to the user as files / on the pasteboard) are the exception, not the rule, of the use of this API.
The normal, non-edge-case use of the relevant screen-capturing API is for screen-sharing ala Zoom, or for remote desktop using RDP et al. These are use-cases where one app wants to see what's going on in other apps — exactly the thing you wouldn't want a malicious app to be able to do, but also exactly the thing that you do want these apps to be able to do.
If there’s a security problem and people are hacking around it, that’s an indication that the either those people have bad needs, or that the security model is flawed — but it’s not an indication that it’s wrong to attempt to secure that resource in the first place.
If a janitor needs the nuclear-missile launch codes to clean the missile silo, you’ve probably fucked something up — but that “something” isn’t the fact that the missile silo doors are code-locked. (Instead, it’s probably 1. the fact that you’re using the same credentials for physical missile access as you are for missile launch, and 2. the fact that your regular janitor is expected to clean the missile silo.)
In this case, the security model of Wayland is the same kind that Windows and Android already have: preventing “low-integrity” apps from screen-scraping “high-integrity” apps. In other words, preventing a random webpage running in Chrome from stealing your credit card details sitting visibly in a sibling text-editor window.
(Or, of course, preventing you from Twitch-streaming your playback of DRMed Netflix video. That’s a use-case that “needs supporting” too, given that the alternative is that type of video not playing back on the platform at all.)