Security issue with .desktop files revisited

Mike Hearn mike at
Tue Mar 28 18:01:20 EEST 2006

Francois Gouget wrote:
> Well, in my proposal, only untrusted files need the untrusted EA bit 
> set. So backward compatibility is not broken.
Right, I'm just exploring ways to achieve that without requiring EAs.
> Surely, requiring that web browsers and email tools make all the files 
> they save executable cannot be good for security...
Only .desktop files, and right now +x on such a file is meaningless anyway.

> Which is kind of the opposite of its normal meaning which can be taken 
> to be 'I trust this file enough that I am willing to execute it'.
Yes, it's unintuitive to reverse the meaning like that, but it does have 
the advantage of not requiring EAs (which don't travel through standard 
tarballs, network filing systems) and not breaking backwards compatibility.

More information about the xdg mailing list