file selector abstraction (GUI) (libfileselector.so)

Mark Seaborn mrs at mythic-beasts.com
Tue Dec 16 11:12:10 PST 2008


Carsten Haitzler (The Rasterman) <raster at rasterman.com> wrote:

> absolutely. also a separate process means that apps cant modify the
> file selector like add other custom widgets (eg like gimp does with
> image previews) or other things packed into the selector created
> using their toolkit. you're on an uphill battle here :)

Using a separate process doesn't make it impossible, just harder.  You
can use inter-X-client widget embedding.

When using a powerbox (a trusted-path file chooser), there's a
question of whether it's possible to do image previews securely.  The
application is not supposed to be granted access to the file until the
user clicks Open/OK.  I believe it is possible to do this securely if
the application-provided previewer is run in a confined process [1],
so that the previewer process does not have access to any channels
that would allow it to leak the information back to the application or
anyone else.

I would also argue that preview widgets should not be application
specific.  A previewer should be registered to work across all
applications.  For example, you should get previews when choosing a
file to attach to an e-mail, but the e-mail application should not
have to implement the previewers.

Cheers,
Mark

[1] Using "confined" in the same sense as "A Note on the Confinement Problem",
    http://www.cs.cornell.edu/andru/cs711/2003fa/reading/lampson73note.pdf


More information about the xdg mailing list