.desktop files, serious security hole, virus-friendliness

Rodney Dawes dobey at novell.com
Mon Apr 3 20:35:51 EEST 2006

On Mon, 2006-04-03 at 19:26 +0200, Benedikt Meurer wrote:
> Rodney Dawes wrote:
> > Shoulud it be GPG? What about S/MIME?
> It doesn't need to be GPG.

This was more a question for Thiago than you. Your original mail didn't
specify the signature format, just that there should be one. :)

> > Do we really need a signature and
> > yet another dialog to pop up and annoy the user? Shouldn't we only pop
> > up things like this when we /know/ there is an issue?
> The user shouldn't see the dialog usually. Only if the system is unable
> to verify the signature, which should only happen in case of a bogus
> desktop file (i.e. a virus), as systems should ship with a sane
> trustdb. Of course, this will take time to implement for all desktop
> environments, but in the end should be more secure than testing the x bit.

Well, for example, I create a lot of .desktop files which link to
sftp:// and other such things, rather than mounting the remote sites,
so I can easily view those directories in my file manager, without
having to keep a connection open when I don't need them. I also create
.desktop files to launch various games on my system, which don't come
with .desktop files, such as Neverwinter Nights.

> Just an idea, tho...

Of course, just bringing up issues with it. :)

-- dobey

More information about the xdg mailing list