Conversation

Notices

1. Embed this notice
   lucie lukas "minute" hartmann (mntmn@mastodon.social)'s status on Sunday, 10-Aug-2025 22:10:11 JST lucie lukas "minute" hartmann

   why can't this show me which application? because this recently pops up on my empty gnome desktop after login, so i'd really like to know :D

   • Haelwenn /элвэн/ :triskell: likes this.
   • Rich Felker repeated this.
   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Sunday, 10-Aug-2025 23:36:47 JST mhoye

     in reply to

     @mntmn This kind of thing has been going on in Linux UIs for ages and it is just the most bonkers, infuriating thing. We spend all this time telling people to be extra careful to avoid sharing passwords and phishing anything and then build and apparently tolerate dialogs that say "put in your password" with no useful information why or any way to validate any claims or anything.

     I mean, what are we even doing here?

   • Embed this notice
     Cybarbie (nf3xn@mastodon.social)'s status on Sunday, 10-Aug-2025 23:36:47 JST Cybarbie

     in reply to

     • mhoye

     @mhoye @mntmn Absolutely horrible user experience. Which application, which password. Does the keyring even exist? What is a keyring? All stuff aged grandmother is not going to know.

     Rich Felker repeated this.
   • Embed this notice
     mhoye (mhoye@mastodon.social)'s status on Sunday, 10-Aug-2025 23:36:47 JST mhoye

     in reply to

     • Cybarbie

     @nf3xn This isn't "elderly grandparent perplexity" material! I've been neck deep in linux professionally for like 30 years and I don't know what's going on here. @mntmn, without exaggeration, _makes and sells his own boutique computers_ and doesn't know what's going on here.

     How is _anyone_ supposed to make a rational, informed judgment about this?

     Rich Felker repeated this.
   • Embed this notice
     Tom Walker (tomw@mastodon.social)'s status on Sunday, 10-Aug-2025 23:36:54 JST Tom Walker

     in reply to

     • mhoye
     • Cybarbie

     @mhoye @nf3xn @mntmn Yes, there is simply no way for anyone regardless of skill level to know wtf is going on when the prompt says "an application" and there is no way whatsoever to tell which application.

     The dialog is a complete failure and active security risk.

     Rich Felker repeated this.
   • Embed this notice
     Cybarbie (nf3xn@mastodon.social)'s status on Sunday, 10-Aug-2025 23:41:06 JST Cybarbie

     in reply to

     • mhoye
     • Tom Walker

     @tomw @mhoye @mntmn GNOME keyring is a bolt-on security dumpsterfire. Is this that systemd fucker again?

     No I do not want your no-man's land security layer.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Sunday, 10-Aug-2025 23:42:32 JST Rich Felker

     in reply to

     • mhoye
     • Magical Cat
     • trainguyrom

     @trainguyrom @koteisaev @mhoye @mntmn This is entirely ignoring the root problem: existence of a shared keyring. It's a security antipattern. There is never a legitimate reason for automated secret sharing between different applications in a normie end user device setting. The actual goal is probably preventing sketchy apps/malware from stealing secrets from things you actually care about, and this can be accomplished by finer grained permissions, not inane-prompt-on-access.

   • Embed this notice
     trainguyrom (trainguyrom@techhub.social)'s status on Sunday, 10-Aug-2025 23:42:33 JST trainguyrom

     in reply to

     • mhoye
     • Magical Cat

     @koteisaev @mhoye @mntmn showing the program name in a way that can be spoofed would still be better than the current UI. Most of the time this dialogue would pop up because of something either the user did or something the system was configured to do, and in either case showing the program name without code signing would be perfectly fine. Yes a malicious actor could make it fake the name but to not display useful information to the user just because a malicious actor might not give truthful information to the system is silly

   • Embed this notice
     Magical Cat (koteisaev@mastodon.online)'s status on Sunday, 10-Aug-2025 23:42:34 JST Magical Cat

     in reply to

     • mhoye

     @mhoye @mntmn
     What is better approach? Overload non-technical details like full command line of process?
     "Just place app name" does not work until there is some digitally signed relation between entry in list of installed applications, where visible names are should be unique, and an excecutable. And this would make development experience a torture, or at least add some painful burden making package/code/desktop entry signing mandatory...

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 11-Aug-2025 00:57:32 JST Rich Felker

     in reply to

     • mhoye
     • Magical Cat
     • trainguyrom

     @trainguyrom @koteisaev @mhoye @mntmn The whole idea for this antipattern comes from vile anti-user DRM schemes where the user's OS is treated as untrusted and the secrets are going to be stored (necessarily in shared storage since it's a device singleton) in a hardware element designed to keep the user from accessing them. Software shared keychain systems are vibe-coding-replicating this antipattern rather than actually trying to satisfy some legitimate security design requirements.