executable .desktop files

Thomas Leonard talex5 at gmail.com
Mon Aug 25 08:27:15 PDT 2008


On Fri, 22 Aug 2008 01:39:22 +0200, Egon Kocjan wrote:

> Thiago Macieira wrote:
>> Egon Kocjan wrote:
>>> Sure. If I'm not mistaken, there's no other solution, that gives you
>>> instant double-clickable executables on standard gnome/kde/xfce
>>> desktops.
>> 
>> That's intentional.
>> 
>> Users should have to turn something into executable before it's allowed
>> to continue.
>> 
>> Self-packed .desktop files are a security risk (raised more than two
>> years ago) and should be fixed. Especially since .desktop can change
>> its own icon and masquerade as an innocuous JPEG file, for instance.
> 
> What is the right way to ship instant software to non-technical users
> then? All I can think of are similarly exploitable ways (putting +x
> binaries into zips - the user didn't make them executable himself).

Several things help:

1) Make 'install application' a different gesture from 'download file' 
and 'follow web link', so users don't do it accidentally.

2) Provide a point of control for distributions to intercept the request 
and offer a local package / warn about dodgy packages.

3) Check the digital signature on the package. Warn if the key isn't 
trusted by the user or their distribution.

I had hoped distributions would be providing this by default by now, not 
just as an optional extra:

  http://0install.net/

What kind of software are you trying to distribute?


-- 
Dr Thomas Leonard		http://rox.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1



More information about the xdg mailing list