On 7/7/26 8:46 AM, Neal Gompa wrote:
On Tue, Jul 7, 2026 at 8:36 AM Sebastian Wick <[email protected]> wrote:
....
They argue that this can't be an issue on their side because this
behavior was introduced in 2004. The behavior was never a good idea
(see man 1 xdg-mime above). The handler that wine ships also bypasses
the executable bit. If you download an ELF or sh file in your browser
and open it, it will not run. If you download an exe, it will.
Fedora has a responsibility to keep their users secure. We have to
patch the desktop file in wine to remove the MIME handler.
I don't entirely agree with this assessment. Fixing the handler so
that it doesn't execute it if it's not marked executable would largely
mitigate this problem too. But yes, I also agree with the Wine folks
that users expect double-clicking to work, so that behavior needs to
remain in effect.
Users expecting double clicking to work is the main cause of malware
problem in Windows, where the originator of the file is who decides what
is executable or not by naming the file with an specific extension.
If Wine authors do not want to solve the problem upstream, not only the
Fedora provided Wine should be fixed downstream by not registering the
handler, I go a little far that that. Disallow a default handler for
Wine related mime types to avoid compromising the system for people that
install the upstream RPMs, make the users choose the handler every time
and add a non GUI option to disable that at their own expense.
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new