executable .desktop files
Thomas Leonard
talex5 at gmail.com
Mon Aug 25 08:27:15 PDT 2008
On Fri, 22 Aug 2008 01:39:22 +0200, Egon Kocjan wrote:
> Thiago Macieira wrote:
>> Egon Kocjan wrote:
>>> Sure. If I'm not mistaken, there's no other solution, that gives you
>>> instant double-clickable executables on standard gnome/kde/xfce
>>> desktops.
>>
>> That's intentional.
>>
>> Users should have to turn something into executable before it's allowed
>> to continue.
>>
>> Self-packed .desktop files are a security risk (raised more than two
>> years ago) and should be fixed. Especially since .desktop can change
>> its own icon and masquerade as an innocuous JPEG file, for instance.
>
> What is the right way to ship instant software to non-technical users
> then? All I can think of are similarly exploitable ways (putting +x
> binaries into zips - the user didn't make them executable himself).
Several things help:
1) Make 'install application' a different gesture from 'download file'
and 'follow web link', so users don't do it accidentally.
2) Provide a point of control for distributions to intercept the request
and offer a local package / warn about dodgy packages.
3) Check the digital signature on the package. Warn if the key isn't
trusted by the user or their distribution.
I had hoped distributions would be providing this by default by now, not
just as an optional extra:
http://0install.net/
What kind of software are you trying to distribute?
--
Dr Thomas Leonard http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1
More information about the xdg
mailing list