On 09/05/2013 10:10 PM, Ted Gould wrote: > On Thu, 2013-09-05 at 19:19 +0200, David Barth wrote: >> (sorry if this has been asked before, i couldn't see it in the archive) >> >> Is there a plan for click to install icon files into >> ~/.local/share/icons (the same way it deals with .desktop files)? >> >> Or if it's not considered OK, what would be the recommended way for apps >> to place and lookup icons contained in the click package installation dir? > > I don't think we have a good answer here. When Colin and I were comparing > desktop hooks we even handled the application icon slightly differently. I > handled it like a name, and didn't adjust it any, and he handled it like a > file > and added the path. His way doesn't allow for multiple sizes, and my way > probably breaks common usage. I don't think we've properly closed that issue. > > I worry about installing icons in a common directory just because those icons > would be loaded by another process. I think most applications would be better > off just having their icons, themed or any other way, included in their click > package and loading that into their application's icon search paths. They > should be able to know the base package directory by looking at the current > working directory on startup. > > Which brings up an interesting attack possibility. An application with a > corrupted application icon that gets loaded directly by Unity. You wouldn't > even need to have the app installed as browsing through the click scope would > be > enough. Most icon loaders should be pretty robust by now... >
Yes, this is something I considered. For now I think we just have to treat that as a security vulnerability in Unity/the underlying libraries like we do now. Ultimately, I think we should probably handle it like gettext and the infographic-- icon loading is handled in a separate process with an apparmor profile and ideally seccomp. Do you know otoh what I should file this wishlist bug against? -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : ubuntu-appstore-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
