>From the WIP qvm-file-trust man page [1]:
A file is considered trusted unless:
1. It sits under an untrusted folder's path
2. It has a 'user.qubes.untrusted' extended file attribute
3. It sits in a file path that has the phrase 'untrusted' in it.
This phrase can be configured in /etc/qubes/always-open-in-dispvm.phrase
A '-' character can be placed in front of a path in the local list
to override a path listed in the local list.
I think the 2nd "local" is meant to be "global", but regardless... I
interpreted this as meaning the following cfg:
~/papers/
-~/papers/ITL/
would result in ~/papers/ieee-foo.pdf being *un*trusted and
papers/ITL/qubes-bar.pdf being *trusted*.
In the current implementation this is not the case, but rather
`-~/foo` only negates `~/foo` iff exactly foo had been previously
specified.
This means
~/Documents/crap
-~/Documents
would render all ~/Documents untrusted, rather than the current
~/Documents/crap remaining trusted because the exact path had not been
negated.
This may well be what was intended all along, but it is not what I
understood was the goal from the initial design discussions.
I believe the original description of negation in trusted paths config was [2].
Thoughts?
[1]:
https://github.com/anoadragon453/qubes-mime-types/blob/9a2bd289e9924e2d7902acac1693d33dab0cfae6/doc/qvm-file-trust.rst#L20-L30
[2]: https://groups.google.com/d/msg/qubes-devel/HNdUjs35-qA/e9Z0k6uABAAJ
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/CABQWM_C8mU1yS7AUZ0f%3D8nFbasst4Eh35Aarnu9-s_jcCuiOvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
