file selector abstraction (GUI) (libfileselector.so)
Mark Seaborn
mrs at mythic-beasts.com
Tue Dec 16 11:12:10 PST 2008
Carsten Haitzler (The Rasterman) <raster at rasterman.com> wrote:
> absolutely. also a separate process means that apps cant modify the
> file selector like add other custom widgets (eg like gimp does with
> image previews) or other things packed into the selector created
> using their toolkit. you're on an uphill battle here :)
Using a separate process doesn't make it impossible, just harder. You
can use inter-X-client widget embedding.
When using a powerbox (a trusted-path file chooser), there's a
question of whether it's possible to do image previews securely. The
application is not supposed to be granted access to the file until the
user clicks Open/OK. I believe it is possible to do this securely if
the application-provided previewer is run in a confined process [1],
so that the previewer process does not have access to any channels
that would allow it to leak the information back to the application or
anyone else.
I would also argue that preview widgets should not be application
specific. A previewer should be registered to work across all
applications. For example, you should get previews when choosing a
file to attach to an e-mail, but the e-mail application should not
have to implement the previewers.
Cheers,
Mark
[1] Using "confined" in the same sense as "A Note on the Confinement Problem",
http://www.cs.cornell.edu/andru/cs711/2003fa/reading/lampson73note.pdf
More information about the xdg
mailing list