executable .desktop files
Thiago Macieira
thiago at kde.org
Thu Aug 21 23:48:04 PDT 2008
Egon Kocjan wrote:
>Thiago Macieira wrote:
>> Egon Kocjan wrote:
>>> Sure. If I'm not mistaken, there's no other solution, that gives you
>>> instant double-clickable executables on standard gnome/kde/xfce
>>> desktops.
>>
>> That's intentional.
>>
>> Users should have to turn something into executable before it's
>> allowed to continue.
>>
>> Self-packed .desktop files are a security risk (raised more than two
>> years ago) and should be fixed. Especially since .desktop can change
>> its own icon and masquerade as an innocuous JPEG file, for instance.
>
>What is the right way to ship instant software to non-technical users
>then? All I can think of are similarly exploitable ways (putting +x
>binaries into zips - the user didn't make them executable himself).
Right, but users extracted the contents explicitly. And unzip applications
can also warn that executables are being created, if necessary. The point
is that there are two actions to be taken in order to execute something,
thereby making an accidental click much harder to happen.
So, the solution for instant software is the same: find a two-step action
(no one-click solutions) and that would be fine. This also includes
making sure there's an interpreter already installed in the system: then
you can make use of a .desktop or a MIME type to load with a single click
(the first step was installing the interpreter).
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freedesktop.org/archives/xdg/attachments/20080822/e2ae1a1d/attachment.pgp
More information about the xdg
mailing list