Debian ought to release ssh to DWIM according to the manual. Hiding the implicit -Y option with -X only perpetuates the security risk in the community.
Changing the default to "ForwardX11Trusted no" will force people to use -Y and be aware they are exposing their local X to risks from compromised software on the remote host. This will also provide impetus for developers of common utilities and other distros to fix their software so it does not require a trusted connection. Like, why should I need a trusted connection to run `gvim` through ssh? It should only have to access information on the remote side, and should only be allowed to use X drawing controls on the local side. The main point, is that implementing defaults so -X and -Y DWIM according to the manual will make people aware of the security risk they take when they use ForwardX11Trusted. It is the Debian community's responsibility not to hide security risks from its users. Removing the ForwardX11Trusted default will be painful medicine, but it is medicine the kiddies have to take, for their own good. -- Mark Hedges, software engineer Business info: http://formdata.biz/
