On Mon, 2006-04-03 at 12:57 -0500, Travis Watkins wrote: > On 4/3/06, Benedikt Meurer <[EMAIL PROTECTED]> wrote: > > Shouldn't be a problem. The editor will automatically sign the file when > > saving, and there could also be a simple CLI frontend (probably as part > > of desktop-file-utils, for people who want to edit .desktop files with a > > generic text editor), which can be used to sign .desktop files with the > > users (autogenerated) key. > > So now all $EVIL_APP has to do is run that command line util and it's > good to go. Of course, in this case we're trying to stop $EVIL_APP > from getting installed from just a .desktop file so I guess it's > better than what we have now.
But what if $EVIL_APP is just a shar file that is already +x, and creates a .desktkop which signs itself, and then lets the user click that to run EVIL_ME_HARDER=1 $EVIL_APP or whatever? It doesn't /really/ solve the problem. It just makes it a little more work to deal with. We should concentrate on what the real issues are, and how people really need to use .desktop files for valid installs, and fix the spec so that it only allows the valid cases to work. We shouldn't keep piling workaround upon workaround on top of the problem, until it just becomes so much work to actually create a valid .desktop file, that nobody will bother doing it anyway. -- dobey _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
