Trusted vs Unstrusted MIME types

Christopher Aillon caillon at redhat.com
Mon Jul 9 09:05:45 PDT 2007


Rodney Dawes wrote:
> On Sun, 2007-07-08 at 22:38 -0400, Michael Richardson wrote:
>>     Rodney> What about trusted applications with security flaws, that
>>     Rodney> handle "trusted" types? A tar.gz might be considered "safe",
>>     Rodney> but could expose a security flaw in gzip.
>> 
>>   That's a bug.
>>   There are always bugs.
>> 
>>   A python script which can run "rm -rf /", is a feature.
>>   It will always do that.
> 
> Bug or not, the level of safety there must be determined by the user.
> One user's safe, is another user's ZOMG! No amount of software
> abstraction is going to change that.

Right.  Let's not waste time worrying about users who refuse to update 
their system.  They are already dead in the water.  There is not much we 
can do for them save recommend they enable SELinux or similar.  We need 
to assume the system is otherwise secure, and in this case we need to be 
able to determine that auto opening "foo/bar" is something that has the 
potential for being the thing that breaks the system.

> It just seems silly to me that we
> keep trying to write software to be smarter than the user, rather than
> just writing software that works for the users. While the majority of
> people on the planet don't know what a python script is, it still will
> be very annoying to have to click through an extra dialog every time I
> want to view a python file on web svn.

So then we can discuss adding site-wide whitelists or something like we 
can do for cookies, javascript, etc.  There are many ways to go about 
this if we have the information.



More information about the xdg mailing list