So your argument is that if a vulnerability has been there for long enough (or affects another OS), it's OK to leave it there? If a user want to be affected by that, it's his/her choice, but the sane behaviour should be the default. Or, in the minimal case, applications that can be "controlled" remotely (e.g. IM, web browser, IRC client) should *never* grab focus by default. It's just asking for (remotely exploitable) trouble.
As to whether it's a good idea to automatically give focus to a window that was explicitly requested by the user, I guess it's debatable. I personally think it's dangerous, especially when your machine is slow because you can open a terminal, not seeing it come up for several seconds (I've seen minutes for a machine swapping heavily) and then go back to another terminal. When the terminal you tried opening shows up, it'll get whatever text you were typing at the moment. Technically, that part wouldn't be a security issue because the worst you can do is deleting your home directory ("rm -rf" ending up in the wrong terminal window) but nodoby can remotely get you to do that. BTW, I tried: gconftool-2 --set /apps/metacity/general/focus_new_windows --type string strict as suggested by another user and it didn't change anything. Any new window I open still grabs the focus. -- New windows stealing focus -- and passwords? https://launchpad.net/bugs/54741 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs