Yes, and it still does. Practically every X11 installation is vulnerable.
(If you’re nitpicking my use of the word plagued, though, note that I am talking about the vulnerability, not the exploit.)
I never heard about any app logging keystrokes and sending theme somewhere.
That’s because of a variety of external factors, including:
X11 desktops aren’t common enough to be priority malware targets, yet.
People who run only open-source software typically get it from trustworthy channels, like their OS distro’s package repository.
Devices likely to attract malware, such as game consoles and mobile phones, have avoided X11. (Android phones and Steam Deck are examples.) This is no accident; lack of app isolation was a factor in that decision.
I don’t think normal uses had to worry about it.
We’ve been lucky so far, in that our circumstances have kept us mostly safe. However: Linux malware is on the rise. Commercial games, both on their own and through anti-cheat systems, are making opaque software more common on our desktops. Flathub is working on paid apps, which could likewise create malware opportunities that weren’t there before. The Epic Game Store has already been caught collecting data from other apps, so the intent is clearly present already.
It’s generally just a matter of time before exploitable systems become exploited systems. We would do well to close the door on unauthorized key logging, clipboard snooping, screen scraping, and input injection.
One problem that has long plagued X11 is that any app can snoop on any other app, including things like keystrokes and displayed information, even from within containers like Flatpak. (This is understandable, since it was designed at a time when spyware was rare, so there was no need for isolation more fine-grained than the user level.)
IIRC, Wayland didn’t address that problem in its early days, but in these modern times of surveillance capitalism, I suspect it has been getting more attention. It would be nice to see it solved.
You could restructure your network, but it’s probably not necessary. My phone is always behind NAT on the secondary router’s wi-fi. I got it working by:
Reserving a static IP address for my phone in the secondary router’s DHCP server.
Forwarding incoming ports 1714-1764 on that router to the phone’s IP address.
Allowing outgoing traffic from that router’s network to ports 1714-1764 on my workstation’s IP address (on the primary network).
Adding a device by IP address (my workstation) in my phone’s KDE Connect app.
KDE in 8GB RAM won’t leave you much room for applications. If you can’t get more memory, I suggest trying a lighter desktop environment, or maybe using ZRAM or ZSWAP.
Akonadi is a pig. Nearly 20 processes, each one using 20-150MB resident set (20-40MB unique set), multiplied by the number of users logged in. And then there’s the other stuff it keeps resident, like mysqld.
That might be okay if I was getting something important from it, but I’m not. It provides zero value to me. It’s just wasting RAM that I would rather use for other things.
Unfortunately, it’s part of the Plasma dependency chain on my distro, so removing it would be problematic. When I find the time, I may build a custom metapackage to allow me to get rid of it without taking most of KDE with it.
We already have the IDs you mention in the URLs though, right? In the post I used as the example, the author’s home instance URL for the item is lebowski.social/post/12337
Yes, the needed information is already present in those URLs, but as URLs, they instruct the browser to leave the current site and visit the origin instance, which is not what we want. To get the desired behavior, we would want:
Those two fields combined in a distinct format (not easily confused with a URL).
An obvious way for readers to get the global ID for any message they see (perhaps with the community/magazine name embedded, to make finding the source forum easy for humans who see it)
Apps (including the web interface) displaying each global ID as a link to the nearest copy of its message (local copy when available, origin instance copy as a fallback)
An easy way to manually navigate to any message by entering its global ID
a way that can be easily learned to transform the URL by copy/paste by hand
A unique ID doesn’t have to be long, opaque, and ugly like a UUID. All you need is a <locally-unique-number> + <originating-intance-domain>. Add a prefix to distinguish its type from other things at that domain, and you’ve got an ID that’s unique, readable, and easy to troubleshoot.
You’re assuming that the word federation means central governance over the component parts. It doesn’t. That’s just an element that happens to be present in well-known political federations, which are not the only kind.
Debian Stable + Backports, with a few customized flatpaks. I don’t care that my desktop apps are not bleeding edge. My system always works, and games run great.