executable .desktop files

Thiago Macieira thiago at kde.org
Thu Aug 21 23:48:04 PDT 2008

Egon Kocjan wrote:
>Thiago Macieira wrote:
>> Egon Kocjan wrote:
>>> Sure. If I'm not mistaken, there's no other solution, that gives you
>>> instant double-clickable executables on standard gnome/kde/xfce
>>> desktops.
>> That's intentional.
>> Users should have to turn something into executable before it's
>> allowed to continue.
>> Self-packed .desktop files are a security risk (raised more than two
>> years ago) and should be fixed. Especially since .desktop can change
>> its own icon and masquerade as an innocuous JPEG file, for instance.
>What is the right way to ship instant software to non-technical users
>then? All I can think of are similarly exploitable ways (putting +x
>binaries into zips - the user didn't make them executable himself).

Right, but users extracted the contents explicitly. And unzip applications 
can also warn that executables are being created, if necessary. The point 
is that there are two actions to be taken in order to execute something, 
thereby making an accidental click much harder to happen.

So, the solution for instant software is the same: find a two-step action 
(no one-click solutions) and that would be fine. This also includes 
making sure there's an interpreter already installed in the system: then 
you can make use of a .desktop or a MIME type to load with a single click 
(the first step was installing the interpreter).

  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/xdg/attachments/20080822/e2ae1a1d/attachment.pgp 

More information about the xdg mailing list