security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 9 Wiki Activity

Document that GNOME is not a supported desktop environment #27

New Issue
Open
opened 2025-11-15 16:21:39 +09:00 by kat · 0 comments
kat commented 2025-11-15 16:21:39 +09:00
Copy Link

As previously discussed, running Hakurei with the Wayland enablement bit set does not work under GNOME, due to its lack of support for the security-context-v1 protocol. This will likely be of surprise to users, and should hence be documented; perhaps as such on the website, somewhere near the install instructions or § OS Compatibility:

GNOME does not support running Wayland applications securely via Hakurei. See the FAQ for information.

This suggests a FAQ be added, which would otherwise be a helpful location to inform users about various deficiencies due to Freedesktop-spawned intricacies or other similar hacks.

The entry in question may be somewhat like:

Why is GNOME not supported?

Sandboxing tools on Wayland require the compositor to support the security-context-v1 protocol to run Wayland applications securely. GNOME's compositor Mutter does not support this protocol; [its maintainers consider security-context-v1 to be unnecessary](TODO: link to maintainer's response about it) because they have a hack to allow for Flatpak applications to work securely. However, this hack is vulnerable to various other security issues, and it is Flatpak-specific, which means running Wayland applications via Hakurei in GNOME is just as effective as not using Hakurei at all. Flatpak is the only secure way to use GNOME.

The only solution is to patch GNOME to add support for this protocol. However, Hakurei's maintainers are currently unwilling to maintain such a patch set. If you are willing to contribute and maintain a patch set to add support for security-context-v1, feel free to do so; in the meantime, GNOME will remain unsupported.

Running Hakurei under GNOME with Wayland support enabled will result in an error. It is, however, possible to use Hakurei with Wayland support disabled, if you wish to do so.

Note: this is just a suggestion; alternative measures may of course be explored and implemented.

It might also be useful to modify the error message shown when security-context-v1 is unavailable to point to this documentation when running under GNOME specifically.

Raw markdown of above texts 
[GNOME](https://www.gnome.org/) does not support running Wayland applications securely via Hakurei. [See the FAQ](https://hakurei.app/faq.html#gnome-unsupported) for information.

## Why is GNOME not supported?

Sandboxing tools on Wayland require the compositor to support the [`security-context-v1`](https://wayland.app/protocols/security-context-v1) protocol to run Wayland applications securely. GNOME's compositor [Mutter](https://mutter.gnome.org/) does not support this protocol; [its maintainers consider `security-context-v1` to be unnecessary](TODO: link to maintainer's response about it) because they have [a hack to allow for Flatpak applications to work securely](https://gitlab.gnome.org/GNOME/mutter/-/blob/3ce48d0153df09e289106c74333d31ca18875039/src/core/window.c#L937-958). However, this hack is [vulnerable to various other security issues](https://git.gensokyo.uk/security/hakurei/issues/21), and it is Flatpak-specific, which means running Wayland applications via Hakurei in GNOME is just as effective as not using Hakurei at all. Flatpak is the only secure way to use GNOME.

The only solution is to patch GNOME to add support for this protocol. However, Hakurei's maintainers are currently unwilling to maintain such a patch set. If you are willing to contribute *and maintain* a patch set to add support for `security-context-v1`, feel free to do so; in the meantime, GNOME will remain unsupported.

Running Hakurei under GNOME with Wayland support enabled will result in an error. It is, however, possible to use Hakurei with Wayland support disabled, if you wish to do so.
As previously discussed, running Hakurei with the Wayland enablement bit set does not work under GNOME, due to its lack of support for the [`security-context-v1`] protocol. This will likely be of surprise to users, and should hence be documented; perhaps as such on the website, somewhere near [the install instructions] or [§ OS Compatibility]: > [GNOME](https://www.gnome.org/) does not support running Wayland applications securely via Hakurei. [See the FAQ](https://hakurei.app/faq.html#gnome-unsupported) for information. This suggests a FAQ be added, which would otherwise be a helpful location to inform users about various deficiencies due to Freedesktop-spawned intricacies or other similar hacks. The entry in question may be somewhat like: > ## Why is GNOME not supported? > > Sandboxing tools on Wayland require the compositor to support the [`security-context-v1`](https://wayland.app/protocols/security-context-v1) protocol to run Wayland applications securely. GNOME's compositor [Mutter](https://mutter.gnome.org/) does not support this protocol; [its maintainers consider `security-context-v1` to be unnecessary](TODO: link to maintainer's response about it) because they have [a hack to allow for Flatpak applications to work securely](https://gitlab.gnome.org/GNOME/mutter/-/blob/3ce48d0153df09e289106c74333d31ca18875039/src/core/window.c#L937-958). However, this hack is [vulnerable to various other security issues](https://git.gensokyo.uk/security/hakurei/issues/21), and it is Flatpak-specific, which means running Wayland applications via Hakurei in GNOME is just as effective as not using Hakurei at all. Flatpak is the only secure way to use GNOME. > > The only solution is to patch GNOME to add support for this protocol. However, Hakurei's maintainers are currently unwilling to maintain such a patch set. If you are willing to contribute *and maintain* a patch set to add support for `security-context-v1`, feel free to do so; in the meantime, GNOME will remain unsupported. > > Running Hakurei under GNOME with Wayland support enabled will result in an error. It is, however, possible to use Hakurei with Wayland support disabled, if you wish to do so. **Note**: this is just a *suggestion*; alternative measures may of course be explored and implemented. It might also be useful to modify [the error message shown when `security-context-v1` is unavailable](error-message) to point to this documentation when running under GNOME specifically. [`security-context-v1`]: https://wayland.app/protocols/security-context-v1 [the install instructions]: https://hakurei.app/install.html [§ OS Compatibility]: https://hakurei.app/#compatibility [error-message]: https://git.gensokyo.uk/security/hakurei/src/commit/a91920310d20e1fc472dea044fce8fd9438835df/internal/wayland/wayland.go#L37 ----- <details><summary>Raw markdown of above texts</summary> ```md [GNOME](https://www.gnome.org/) does not support running Wayland applications securely via Hakurei. [See the FAQ](https://hakurei.app/faq.html#gnome-unsupported) for information. ``` ```md ## Why is GNOME not supported? Sandboxing tools on Wayland require the compositor to support the [`security-context-v1`](https://wayland.app/protocols/security-context-v1) protocol to run Wayland applications securely. GNOME's compositor [Mutter](https://mutter.gnome.org/) does not support this protocol; [its maintainers consider `security-context-v1` to be unnecessary](TODO: link to maintainer's response about it) because they have [a hack to allow for Flatpak applications to work securely](https://gitlab.gnome.org/GNOME/mutter/-/blob/3ce48d0153df09e289106c74333d31ca18875039/src/core/window.c#L937-958). However, this hack is [vulnerable to various other security issues](https://git.gensokyo.uk/security/hakurei/issues/21), and it is Flatpak-specific, which means running Wayland applications via Hakurei in GNOME is just as effective as not using Hakurei at all. Flatpak is the only secure way to use GNOME. The only solution is to patch GNOME to add support for this protocol. However, Hakurei's maintainers are currently unwilling to maintain such a patch set. If you are willing to contribute *and maintain* a patch set to add support for `security-context-v1`, feel free to do so; in the meantime, GNOME will remain unsupported. Running Hakurei under GNOME with Wayland support enabled will result in an error. It is, however, possible to use Hakurei with Wayland support disabled, if you wish to do so. ``` </details>
❤️ 1
ophestra added the
Kind
Documentation
Priority
Medium
Reviewed
Confirmed
 labels 2025-11-15 16:23:15 +09:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat
Breaking
Breaking change that won't be backward compatible
Kind
Bug
Something is not working
Kind
Documentation
Documentation changes
Kind
Enhancement
Improve existing functionality
Kind
Feature
New functionality
Kind
Security
This is security issue
Kind
Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Kind
Documentation
Priority
Medium
Reviewed
Confirmed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cat maemachinebroke noir ophestra
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: security/hakurei#27
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?