"Name" key value in desk. entry spec collides with file names, could misguide users?

Mike Hearn mike at navi.cx
Sun Mar 20 21:25:17 EET 2005 

On Sun, 2005-03-20 at 18:55 +0100, Diego Calleja wrote:
> I must admit I hate compatibility when it stops us from doing things better.

I'm assuming you never actually wrote software that millions of people
depend on, after all it's easy to hate compatibility until you need it.

Then it's too late.

> Many people won't fall so easily on that one

Are you sure? I, again, see no evidence, just assertion.

> > Why? Because I don't believe requiring a magic flag to be set to run a
> > program makes things more secure, it just decreases usability. 
> 
> ...selinux actually makes this worse, by not allowing you to do anything - at all with what you
> downloaded. And if it does have a method to run it, it's not different than the +x solution,
> expect for being more complex and less portable to other systems.

Who says you can't do anything at all? I never said what a quarantined
program would be able to do, or even implied it. Perhaps a good set of
abilities would be:

a) Read/write to a special "quarantine zone", a directory under $HOME
b) Display windows on the X server (but not access others)
c) Load shared libraries

Note that establishing network connections is not in that list. Nor is
being able to delete users documents, or modify the system
configuration. 

You could argue that this just pushes the decision to a later time - if
the program asks for it, do you release it from quarantine or not? I
think it's certainly possible to present this decision in a way that any
users can comprehend. Before you tell me that users are clueless again
please, read on.

> Again, this is not a hypotetical situation. 
> This is what people has been observed to do
> for years in "other platforms". 

No, what we have observed is that it's extremely easy to impersonate
people on the internet and that generally, people are trusting of email
or files that appear to come from people they know. This has nothing to
do with how easy or hard it is to make your own hardware do what you
want. It has everything to do with how easy it is to gain somebodies
trust by spoofing communcations. Solving that requires we make it harder
to spoof emails, instant messages etc and easier to make correct
decisions in the presence of untrusted (but also potentially trusted)
code. 

Requiring the +x bit set on anything (not just .desktop files) does not
give the user any more information than they already had, so it will not
change the decision they make. It *will* increase their sense of
frustration and helplessness if they're unable to figure out how to do
what they want to do, but that achieves nothing except making people
trust computers even less than they already do.

> > b) Breaks existing software and specifications (this is BAD!)
> 
> I agree that it does, but I have never cared about breaking things when it means
> doing things better.

Do you want Linux to be a research OS that never leaves the lab? No?
Good. Me neither. 

Producing something that people actually *use* to get things done
requires stability. There are better APIs than POSIX out there. It
doesn't matter. The value stability brings outweighs the value a better
API would bring. It's a simple cost:benefit analysis, and in this case
the cost is high and the benefit is low to non-existant.

> > c) Gives people an impression of security which does not exist, so
> >    reducing incentives to work on real solutions
> 
> The set of population for which I propose this change (ie: more than 90% ) have no
> clue about what "security" means. This is not a real reason, it doesn't stops people
> other people from working on other things.

I think this idea of people not caring or knowing about security is
wrong. It doesn't apply in any other area of life: cars have
immobilisers, houses have burglar alarms and cards have PINs. Nobody
blames stupid users for card fraud, do they? This is a rather nasty
habit of IT workers alone.

Nobody suggests making it harder to buy things as a solution to card
fraud - instead better security systems like the European Chip+PIN
schemes are designed to replace signature checks. These aren't quick 5
minute fixes, in fact they're very expensive to implement. But they work
and solve the problem at its roots. 

Instead of writing off users as "clueless" and "idiots" as it's so
tempting to do, how about we provide them with the information they need
to make accurate decisions and strengthen security to make it less of a
winner-takes-all situation if they make the wrong one?

thanks -mike

More information about the xdg mailing list