[RFC] Security and Features in KPDF

Gary L. Greene Jr. greeneg at arklinux.org
Mon Jan 3 05:00:23 GMT 2005 

On Sunday 02 January 2005 11:30 pm, George Staikos wrote:
> On Sunday 02 January 2005 20:44, Tobias Koenig wrote:
> > > > This is really a save solution. When the user still clicks on 'Ok'
> > > > and the virus/wurm is executed... well, that's the users problem. But
> > > > that's the same case as when the user clicks on an unknown email
> > > > attachment. Do we forbid email attachments for this reason?
> > >
> > >    This is not always so safe, because not all users understand the
> > > implications of a 1 character difference between two command lines, one
> > > being safe, the other being devastating.
> >
> > And what's the different to a script that the user downloads from
> > www.coolnewgames.com and executes it because its name is install.sh?
> >
> > We can't prevent the stupidity of some users, but we shouldn't impair
> > other users by refusing features just because some single users have to
> > click on every button that comes under their mouse...
>
>   The biggest difference is that people aren't accustomed to not being able
> to trust a PDF that their application already warns about this way.  They
> know if you download an unsigned executable and run it, you risk getting a
> virus or other such problem.  I know that I wouldn't be concerned about
> myself running commands in PDFs (I know enough to just say no all the time
> due to the various risks), but I am concerned for others in general.

Interesting argument there, but does this mean that we should also drop 
support for kparts in koffice and kjsembed from KDE? You could use the same 
core technologies to KDE to cause a security risk using a well crafted kword 
document. I agree with Tobias about this feature. Its a useful feature. If 
folks don't want it in KPDF, make this a compile time option and be done with 
it, especially since KDE distributes sources last I checked.

-- 
Gary L. Greene, Jr.
Sent from uriel
 23:45:52 up 11:40,  6 users,  load average: 0.00, 0.03, 0.06
 
============================================================
Developer and Project Lead for the Ark Linux Project
 check out http://www.arklinux.org/ for more info.
 Also http://www.csis.gvsu.edu/~greeneg/
EMAIL : greeneg at arklinux.com
============================================================
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050103/f1858375/attachment.sig>

More information about the kde-core-devel mailing list