requiring .desktop files to be executable ?

Roland Harnau truthandprogress at googlemail.com
Thu Feb 26 17:17:06 GMT 2009 

2009/2/25, David Faure <faure at kde.org>:
> On Tuesday 24 February 2009, Roland Harnau wrote:
[...]
>> Setting the executable bit not by file type but by some internal criteria
>> leads some oddities especially in the migration phase, e.g. a .desktop
>> file without exec bit can be
>>
>> (1) not of Type=Application
>> (2) legacy with Type=Application
>> (3) possible harmful with Type=Application
>>
>> and it  is not easily possible to keep them apart, at  least not
>> without parsing and applying some complex logic in the lines of what
>> Michael did.
>
> Sure. So?
> "A file named foo.txt could contain text or something else and it's not
> easily possible to keep them apart without parsing it". Obviously.

You missed the point. This is not about validating a file format, in
this case an instance of the same file format can be executable or not
dependent on a bit pattern which can only be discovered by parsing the
file. As consequence an upgrade script cannot rely on on the .desktop
extension for chmod +x in  Desktop or  $HOME, it has to look for
Type=Application.

> There is no migration tool, users are supposed to make executable by hand
> the few desktop files that they use from $HOME or Desktop... Only they can
> tell if it's (1) (2) or (3), that's the whole point of the security measure.

Is he really able to make an informed decision? He doesn't know the
rationale for this security measure, he is only asked if he "trusts"
the application - for "old" desktop files, newly installed software
which installs its desktop files in Desktop, and the real security
threat, the downloaded virus. With so many false positives, isn't it
likely that he simply clicks through if he encounters the real threat?

>> Yes, but this usage is somewhat discouraged by the standard UI and
>> perhaps only an issue if folderview  is used as desktop containment.
>
> No, you can still have standalone icons too, e.g. by drag-n-dropping files
> onto the desktop.

I'm quite aware of this possibility, but it plays no critical role in
the workflow of the default Plasma desktop. Your example (nice icon
for a shell script) is not  really convincing since the usefulness is
strictly limited to developers and people who know one (the .desktop
file is handcrafted). Users of the "classical" desktop are a different
matter, for them executable desktop files are of utmost importance.


Roland

More information about the kde-core-devel mailing list