Dan Winship wrote: > Alexander Larsson wrote: >> So, there has been a lot of attention on the internets recently about >> the the desktop file "virus" issue. >> >> I think its all pretty overblown, and any solution we have that doesn't >> completely neuter the feature will just involve users learning to work >> around the issue in cases where this is correct, and thus are likely to >> do this when they are targets of an actual attack. > > What is the attack? Get someone to download a .desktop file off a web > page? Is there any situation where that *should* work? > > I'd say, something like: if they double click on a non-"trusted" > .desktop file, give an error saying "The file %s looks like an > application launcher, but it is broken and cannot be opened." with a > "More Details" button that explains "For security reasons, launchers > that are not installed in system directories must have the executable > bit set". Do not provide a button to fix the problem or a link to > further help.
+1 from me. A prompt that easily lets the user continue through to "bad stuff" is like a speed bump before a cliff. [1] However one concern may be migration. ie: An admin has deployed some desktop files without the +x bit on users' desktops. If we all of a sudden break those then that's a regression. It may be good to deploy an interim "with fix" dialog for a couple GNOME releases before switching to the "don't do that" dialog. Cheers, Stef [1] Really need to fix gnome-keyring in this respect (blush). _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org http://mail.gnome.org/mailman/listinfo/desktop-devel-list