executable .desktop files

Damjan Jovanovic damjan.jov at gmail.com
Thu Aug 21 23:40:02 PDT 2008


On Fri, Aug 22, 2008 at 1:39 AM, Egon Kocjan <egon at krul.ath.cx> wrote:
> Thiago Macieira wrote:
>> Egon Kocjan wrote:
>>> Sure. If I'm not mistaken, there's no other solution, that gives you
>>> instant double-clickable executables on standard gnome/kde/xfce
>>> desktops.
>>
>> That's intentional.
>>
>> Users should have to turn something into executable before it's allowed to
>> continue.
>>
>> Self-packed .desktop files are a security risk (raised more than two years
>> ago) and should be fixed. Especially since .desktop can change its own
>> icon and masquerade as an innocuous JPEG file, for instance.
>
> What is the right way to ship instant software to non-technical users
> then? All I can think of are similarly exploitable ways (putting +x
> binaries into zips - the user didn't make them executable himself).

There is no formal, well established, distribution-neutral way to ship
instant software to non-technical users. But there are a few
possibilities.

Java web start does it by associating the jaws binary with the .jnlp
file type. Clicking the link gets the web browser to open that file
type using jaws, which runs the application in a secure sandbox, or if
needed, asks the user for permission to run it unrestricted.

Autopackage does something similar for .package files and they did
some research/work on executable .desktop files, it might be worth
looking into.

> _______________________________________________
> xdg mailing list
> xdg at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xdg
>

Damjan


More information about the xdg mailing list