I don't necessarily disagree, but there is a reason why it is this way. 
Consider:

On Wed, Jul 8, 2026 at 1:32 PM, Daniel P. Berrangé wrote:
> -- 
> |: https://berrange.com ~~  https://hachyderm.io/@berrange :|
> |: https://libvirt.org ~~  https://entangle-photo.org :|
> |: https://pixelfed.art/berrange ~~  https://fstop138.berrange.com :|
> 
> -- 
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://forge.fedoraproject.org/infra/tickets/issues/new

Yes, I just quoted only the footer of your mail. Look at all those hyperlinks. 
What happens when you click on the link? Assuming your email client is running 
under Flatpak, then currently it opens in a web browser. But if we change the 
OpenURI portal to display UI, then you'll instead see a dialog prompting you to 
select an application in which to open the link. And now the user is likely 
pretty annoyed, because users like to click on links. Lots and lots of links. 
Who doesn't? So we have to consider the trade-off between quality user 
experience vs. risk of messing up by installing a risky desktop file.

Of course there are possible middle ground solutions. We could choose to 
allowlist http:// and https:// URLs, and possibly even mailto: and tel:, on the 
assumption that these are very likely safe. But confusingly, the OpenURI portal 
handles not just URLs, but also files. Any desktop file that can handle MIME 
types is implicated. So download an image in your web browser and click on it: 
do you want it to open in your image viewer (probably?) or do you want to see 
some sort of security prompt?

Sebastien's argument that this is unsafe even with Flatpak out of the picture 
seems pretty persuasive.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to