Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu: > Daniel Ruoso wrote: > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > >>> Last week, an old security issue in desktop environments went through a > >>> widely public discussion (including on slashdot)[1][2]. As I said, this > >>> issue is not new[3], but there seem to be no action on the upstream to > >>> fix it. > >> On the contrary, there is action upstream to fix it, and Nautilus 2.26 > >> will only launch “safe” .desktop files. > > and what are "safe" .desktop files? > See this mail and its followups: > http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html
I'm glad to see that, it's a shame I haven't found that thread. So, for the record, *nautilus* is solving the .desktop files issue by: 1) Special casing files that are system-wide installed. 2) Requiring .desktop files to have the x bit set otherwise. I'm pretty happy with that solution (although I would prefer not having the "launch anyway"/"mark as trusted" box, but rather simply show the properties dialog for a non-executable-non-system-wide .desktop file (but I think that should go as an suggestion to upstream)). I also would suggest that as a migration plan only, where we do turn all .desktop files into executables in the future, so we have a consistent environment. Also, as "mark as trusted" is making the file executable, are you planning to add a shbang to it? daniel -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org