.desktop files, serious security hole, virus-friendliness

Thiago Macieira thiago at kde.org
Mon Apr 3 20:03:32 EEST 2006


Benedikt Meurer wrote:
>I'd propose to optionally include a digital signature for the Exec field
>(i.e. add an ExecSignature field to the spec) and let the file manager
>ask the user whether he/she trusts the signee or popup a warning if no
>signature is present. Distributions should then ship with a good default
>set of trusted certificates (i.e. for Gnome, KDE, Xfce, etc.), so users
>shouldn't see the warning unless they're trying to execute a
>virus.desktop or a .desktop file whose signee is not yet in the trustdb.

[I'm not trying to shoot your idea down; I'm just raising some discussion 
points]

How would this work for user-created files? Should the desktop 
automatically sign the files? Should we require each and every user to 
have a GPG key?

-- 
Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
  thiago.macieira (AT) trolltech.com     Trolltech AS
    GPG: 0x6EF45358                   |  Sandakerveien 116,
    E067 918B B660 DBD1 105C          |  NO-0402
    966C 33F5 F005 6EF4 5358          |  Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060403/2c5f6fb1/attachment.pgp 


More information about the xdg mailing list