.desktop files, serious security hole, virus-friendliness
Thiago Macieira
thiago at kde.org
Mon Apr 3 20:03:32 EEST 2006
Benedikt Meurer wrote:
>I'd propose to optionally include a digital signature for the Exec field
>(i.e. add an ExecSignature field to the spec) and let the file manager
>ask the user whether he/she trusts the signee or popup a warning if no
>signature is present. Distributions should then ship with a good default
>set of trusted certificates (i.e. for Gnome, KDE, Xfce, etc.), so users
>shouldn't see the warning unless they're trying to execute a
>virus.desktop or a .desktop file whose signee is not yet in the trustdb.
[I'm not trying to shoot your idea down; I'm just raising some discussion
points]
How would this work for user-created files? Should the desktop
automatically sign the files? Should we require each and every user to
have a GPG key?
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
thiago.macieira (AT) trolltech.com Trolltech AS
GPG: 0x6EF45358 | Sandakerveien 116,
E067 918B B660 DBD1 105C | NO-0402
966C 33F5 F005 6EF4 5358 | Oslo, Norway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/xdg/attachments/20060403/2c5f6fb1/attachment.pgp
More information about the xdg
mailing list