Hello again!
It’s been nearly a month and a half since my last status update.
Since I hope to fall into a monthly rhythm with these this is a decent start, look for the next one around the middle of March.
I’ve also gotten a proper Atom Feed set up for this blog now for those of you using feed readers of some kind.
I spent a fair bit of time over the past month an a half working on a better screenlocking protocol for Wayland.
This resulted in the ext-session-lock-v1 protocol which was merged into the upstream wayland-protocols repository three weeks ago.
This marks the first upstream Wayland protocol I have written and the first protocol in the ext- namespace to be accepted into wayland-protocols!
The ext-session-lock-v1 protocol makes it possible for lockscreens implemented outside of the Wayland compositor to be far more secure, compared to the status quo wlr-input-inhibitor-v1 plus wlr-layer-shell-v1 solution that has been used by swaylock and waylock thus far.
Currently if, for example, swaylock crashes while the session is locked then the session will no longer be locked.
With ext-session-lock-v1, the session does not unlock if the client crashes.
Furthermore, hotplugging outputs is inherently racy with the current solution which means that a few frames of the unlocked session may be visible if a monitor is plugged in while the session is locked.
Again, with ext-session-lock-v1 this problem is solved.
Many thanks to Simon Ser for the excellent code reviews of the protocol and wlroots implementation, as well as for updating swaylock to use ext-session-lock-v1.
I’ve implemented ext-session-lock-v1 for river but am waiting for the 0.16.0 wlroots release to merge it as river tracks the latest wlroots release not the master branch.
I’ve also started rewriting waylock from the ground up in Zig with a much higher focus on security and benefiting from the experience I’ve gained over the past 2 years of doing this stuff.
Until that work is complete I recommend using swaylock instead.
The goal of this work is to ensure, to the best of my ability, that jwz doesn’t have to say “I told you so” about screen locking on my Wayland compositor.
Once the security problem has been satisfactorily solved I want to explore making fun graphics possible without compromising security, but that may take me a long time to get around to.
I released river 0.1.3 about a week ago.
It includes quite a few bug fixes, so if you’re not yet using river 0.1.3 and wlroots 0.15.1 I’d highly recommend upgrading.
I also decided to change river’s license from GPL-3.0-or-later to GPL-3.0-only with this release,
primarily because I decided that I do not feel comfortable licensing software under a hypothetical future license version which is outside my control.
What if I disagree with the changes made?
I’m happy with locking in on version 3 of the GPL for river as there’s no real need to worry about the compatibility benefits of the “or later” clause as river is not a library.
That’s all for now, see you all in March!