On Tue, 24 Feb 09 17:36, Daniel Ruoso wrote: > Em Ter, 2009-02-24 às 20:49 +0100, Emilio Pozuelo Monfort escreveu: > > Daniel Ruoso wrote: > > > Em Ter, 2009-02-24 às 19:35 +0100, Josselin Mouette escreveu: > > >> Le mardi 24 février 2009 à 15:21 -0300, Daniel Ruoso a écrit : > > >>> Last week, an old security issue in desktop environments went through a > > >>> widely public discussion (including on slashdot)[1][2]. As I said, this > > >>> issue is not new[3], but there seem to be no action on the upstream to > > >>> fix it. > > >> On the contrary, there is action upstream to fix it, and Nautilus 2.26 > > >> will only launch “safe” .desktop files. > > > and what are "safe" .desktop files? > > See this mail and its followups: > > http://mail.gnome.org/archives/desktop-devel-list/2009-February/msg00132.html > > I'm glad to see that, it's a shame I haven't found that thread. So, for > the record, *nautilus* is solving the .desktop files issue by: > > 1) Special casing files that are system-wide installed. > 2) Requiring .desktop files to have the x bit set otherwise. > > I'm pretty happy with that solution (although I would prefer not having > the "launch anyway"/"mark as trusted" box, but rather simply show the > properties dialog for a non-executable-non-system-wide .desktop file > (but I think that should go as an suggestion to upstream)).
FWIW the same has been implemented in KDE. There are some recent threads in kde-core-devel if you are interested in further information. Greetings, Armin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
