Free desktop application distribution and installation

Matthias Klumpp matthias at
Mon Dec 8 16:12:59 PST 2014

2014-12-09 0:59 GMT+01:00 Mattias Andrée <maandree at>:
> On Tue, 9 Dec 2014 00:38:30 +0100
> Matthias Klumpp <matthias at> wrote:
>> This actually has some security implications, e.g. a
>> malicious software can taint the other applications and
>> use them to hide itself.
> Provided that we are talking about applications:

> * Unless you require root they can always so this.

Software installation requires administrative privileges.

> * They can always taint ~/.local, and personally I
>   have ~/.local/bin in my $PATH.
> * If your require root they can set setuid, and
>   taint everything.

If the binaries and libraries live in a non-writeable directory, the
only thing bad software running with user privileges can do is placing
a .desktop file which overrides the system-provided one (still bad).
It can not modify the binary itself though, or libraries it uses.

>> once kdbus is merged into the kernel (and
>> large chunks of data can be transmitted via it), we get
>> something which is able to perform these tasks.
> Would by mind clarifying what you are talking about?

I highly recommend watching this video of a talk by Lennart Poettering:
The slides exist on the net as well.


Debian Developer | Freedesktop-Developer
I welcome VSRE emails. See

More information about the xdg mailing list