I just noticed, somewhat to my suprise, that this proposal is not in policy despite being fully implemented in debian now. Maybe it's because of Ian's reply. Ian writes: > This is a bad idea because it will be very annoying if the URL is > unfetchable - all the browsers will be launched in sequence. In practice BROWSER is set to a list two of browsers (mozilla:w3m) if someone wants to use one browser while in X, and another browser otherwise. In that fairly ususal case, you're used to the first, X-enabled browser failing part of the time, when there is no DISPLAY. If the url is bad, they both fail, which seems not too suprising. If someone sets BROWSER to something like w3m:lynx:links:wget then the first question is what on earth do they hope to achieve by doing this? Fall back to lynx is w3m cannot link today? It really doesn't make much sense. Again, when every command in the sequence fails, it's only doing what they requested, nonsensical as that was. > How about we define an exit status which the command is required to > give if it is not suitable for use at the moment ? <sysexits.h> isn't > particularly helpful, but we could pick one of those. I would be happy to see this as a separate proposal, but someone else will need to make it. [ On the %s substitution stuff. ] > I think this is a very bad idea. What if the URL maliciously contains > shell metacharacters ? (I know they're not _supposed_ to.) The code in Debian already (see the sensible-browser program) does not let BROWSER touch a shell. If BROWSER contains a %s then the command is all parsed into words, substituted, and the browser execed. Just as Ian goes on to suggest we do, except we keep the %s available as the upstream BROWSER environment variable spec calls for, with no additional security issue. I think there was already a thread about this. The only possible security problem comes if some badly behaved program does this: system("sensible-browser '<url>'"); Such programs are broken, but it's breakage outside the scope of this proposal. I'd be happy to see someone make a proposal that programs not pass any kind of tainted data through the shell, ever, but someone else will need to work on that. :-) Every program I have converted to comply with the browser policy calls sensible-browser safely, using exec, or parses BROWSER on its own and runs the browser itself safely, using exec. The rest of Ian's mail suggests wording tweaks that I agree with. Here is a followup proposal that includes calling "sensible-www-browser" by its real name, "sensible-browser". I've included change bars. I am looking for seconds, again. Web browsers ------------ Some programs have the ability to launch a web browser to display an URL. Since there are lots of different web browsers available in the Debian distribution, the system administrator and each user should have the possibility to choose a preferred web browser. In addition, programs should choose a good default web browser if none is selected by the user or system administrator. Thus, every program that launches a web browser with an URL must use the BROWSER environment variable to determine what browser the user wishes to use. The value of BROWSER may consist of a colon-separated series of browser command parts. These should be tried in order until one succeeds. Each command part may optionally contain the string "%s"; if it does, the URL to be viewed is substituted there. If a command part does not contain %s, the browser is to be launched as if the URL had been supplied as its first argument. The string %% must be substituted as a single % <footnote> This browser variable was proposed by Eric Raymond at http://www.tuxedo.org/~esr/BROWSER/ </footnote> If the BROWSER environment variable is not set, the program should use | /usr/bin/x-www-browser if DISPLAY is set, and /usr/bin/www-browser if not. These two files are managed through the dpkg alternatives mechanism. Thus every package providing a general-purpose web browser must call the update-alternatives program to register the appopriate one of these alternatives. | Instead of implementing the above in every program that runs a web browser, | programs in Debian may be configured to use /usr/bin/sensible-browser . | This is a program provided by the Debian base system that checks the BROWSER environment variable, and falls back to /usr/bin/x-www-browser or /usr/bin/www-browser if it is not set. -- see shy jo
Attachment:
pgpcKknDElS3H.pgp
Description: PGP signature