Hello Micheal,

I have thought a bit about Genode chat clients, and I think the first
concern is to seperate the crypto that protects a conversation from the
GUI. If the critical code is isolated in a non-graphical component and
a graphical frontend can interact with this core using something like
a file system, then isolation of conversation GUIs should not be much
of a concern.

Running Nitpicker recursively is possible and practical in some cases,
but it may actually weaken isolation as in the recursive case you would
have multiple clients drawing to a common session, whereas in flat
Nitpicker each client enjoys equal privacy.

I don't want to discourage you though, a Qt chat client would be great.
I got as far as porting the Tox library and implementing a very simple
terminal interface, but I don't think I will have the chance to work on
a Qt frontend in the near future.

Cheers,
Emery

Hello Michael,
there are indeed two implementations of this idea:

1. There is a special Qt widget that allows you to embed any nitpicker
client into a Qt GUI. Both programs have a dedicated nitpicker
session. I.e. input entered into the "outer" program is not visible
to the "inner" program. This approach is sensible for sandboxing
untrusted parts of the application, e.g. a video codec, or the
part that is exposed to the network. The basic concept is described
in Section 4.7.1. "Sandboxing" in the manual [1]. You can find the
implementation of this widget at [2]. The example as described in
the book is located at [3]. For trying it out, please make sure to
use the current master branch (it contains a recent fix).

2. The first variant is nice for sandboxing the "inner" part but it
assumes that the "outer" part is trusted. In some situations, this
is not the case. E.g., it is actually unreasonable for a browser
plugin to trust an overly complex web browser. With Genode's loader
service, it is possible to execute the "inner" part independent from
the "outer" part. This idea is described in Section 4.7.4. "Ceding
the parenthood" in the book. The corresponding Qt5 widget is located
at [4]. The described plugin mechanism is implemented in our port
of the Arora web browser (ports/run/arora.run).

Please be aware that those examples are not in a very good shape because
we don't use them day to day. If you encounter any problems, don't
hesitate to post them here. :-)

[1] http://genode.org/documentation/genode-foundations-16-05.pdf
[2] libports/include/qt5/qnitpickerviewwidget/
[3] libports/src/app/qt5/qt_avplay/
[4] libports/include/qt5/qpluginwidget/

Cheers
Norman