The xterm man page includes a section on SECURITY which discusss "Secure
Keyboard" mode, which would make the reader think that xterm can protect
against sniffing the keyboard via the X protocol. However, this is
misleading since grabKeyboard does not protect against all X-windows
keyboard sniffing techniques. Refer to the listed website for a technique
(and source code) which can sniff xterms keyboard via keyboard polling
(using XKeycodeToKeysym) even when xterm's "Secure Keyboard" mode is
[Originally reported to Sun as Sun bug id #4794364.]
Created attachment 337 [details] [review]
proposed warning text for manual page
Perhaps a warning in the man page isn't enough, and it shouldn't be called
"Secure Keyboard" mode anymore? Paranoid Mode perhaps.
So... what do we have to do to get this committed and closed?
alan, any comments on this patch? should we rename "secure keyboard" mode, or
just warn people in the man page? i vote for the latter; let me know either
way, i'd like to get this closed.
The man page warning seems like enough. My question about closing it is how are
we going to handle xterm? Keep following Thomas Dickey's source? If so, do we
want to fix this just in are tree and have to keep merging it forever or should
Thomas be approached about fixing in his master source as well?
If the option was to be renamed "Grab Keyboard" seems better than "Paranoid Mode"
I'm all about having other people maintain applications. Particularly when that
application is xterm. I'll shoot Tom an email about this bug, possibly
encourage him to host it on fd.o as its own project.
http://freedesktop.org/Software/ProposedAppsPackages lists xterm under the
"redundant" package, but i'd be just as happy to see it exist as a first-class
package. Gentoo already packages xterm separately, I imagine other
distributions will do so as well once the modularisation effort is complete.
This is resolved in Dickey's source as of xterm-186.
As far as packaging goes I suggest we just follow his sources, since it's
actively maintained (186 was released 3 weeks after this bug was opened, with
another five releases between then and now) and there's no real reason to
duplicate effort here.
If no one has any objections, I'll close this.
closing, i don't see any reason to not follow dickey's sources.