Security issue with .desktop files revisited
dobey at novell.com
Tue Apr 11 20:30:59 EEST 2006
On Tue, 2006-04-11 at 19:07 +0200, Benedikt Meurer wrote:
> Rodney Dawes wrote:
> > Better yet, let's not encourage people to turn .desktop files into
> > scripts. As has been expressed MANY times in this thread, requiring +x
> > and a special tool that doesn't evaluate Exec any differently thatn we
> > are currently evaluating Exec, doesn't solve the problem. It is very
> > easy to ship a .desktop file to someone that is already +x.
> > We need to fix the evaluation semantics of Exec, not write a bunch of
> > easily-avoidable workarounds.
> That's of course the preferable solution... but if people insist upon
> making .desktop files executable, it should atleast be done in a cross
> platform way.
People insisting it should be done, doesn't mean it should be done. This
is why MS Word has a billion features that nobody knows how to use, and
just as many bugs that have gone unfixed over the years. Customers have
consistently requested features that they think will solve their
problems, and as MS did not know what the actual problems were, the
problems have gone unsolved. Blindly adding features that people insist
on having will only make the system less usable, and a pain in the ass
to maintain. Making .desktop files executable and requiring them to be,
WILL NOT SOLVE THE PROBLEM. Let's fix the problem, not implement a half-
assed workaround because people keep insisting it is a solution.
More information about the xdg