.desktop files, serious security hole, virus-friendliness

Joe Baker joebaker at dcresearch.com
Mon Apr 3 22:43:17 EEST 2006


FreeDesktop.org could create a spec that maintains a table of sha1sums
for valid .desktop files which have been installed by the operating
system or system administrators.  When the .desktop file is launched by
the user, if the sha1sum doesn't match any "blessed" .desktop entries
the user could be warned and the warning would include the display of
the exec line and offered the the ability to "bless" the file for future
use.

This does somewhat allow for a new twist to the definition of the term
"Trusted Computing". 

I personally like the idea of also incorporating gnupg signatures into
the .desktop files.  A field for specifying where to retrieve the
signer's public key would also be useful.

-Joe Baker



More information about the xdg mailing list