On Wed, Nov 29, 2006 at 06:48:30PM -0600, Brian Cameron wrote: > It sounds like a cool idea, but I always worry about code that > "automagically" runs code in the background without the user being > aware of what is goind on. Especially when desktop files can > be added to the system by installing random packages found on the > internet.
If you install a random package found on the Internet, IMO Bug-Buddy is the least of your worries. > Isn't it possible to install .desktop files in the user's $HOME > directory? If someone were to trick a user into installing a > .desktop file with a script that does something malicious, is there > anything to protect the user from the malicious thing happening the > next time the program corresponding to the desktop file crashes? Bug-Buddy especially ignores .desktop files in the $HOME directory. This wasn't actually done as a security issue, just that the system .desktop file usually is the only one to contain the special Bugzilla headers. > Since .desktop files can be shipped by 3rd parties, is there any > privacy issues about collecting information and forwarding it along > to a bug database. For example, core files might contain passwords, > so might not be appropriate to forward as an attachment to a public > database. Will there be any way for the end user to control what > sorts of data can be collected and forwarded with a bug report? You can see what is collected beforehand. > > Hi, after reading Feredico's mail[1] I added that feature to bug-buddy. > > > > Now if you add to your application .dektop file the field: > > X-GNOME-Bugzilla-ExtraInfoScript=myscript > > > > that script will be executed during bug-buddy info collecting and its > > output will be appended to the report. I fear this someone will dump loads of info using such a script. Please let's make an attachment out of that info. This would also make it far easier to hide just an attachment. -- Regards, Olav _______________________________________________ desktop-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/desktop-devel-list
