[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main

I hilariously discovered this last night as well (playing with IMA), and removing the creation of that attr would be a huge step back.

Restricting the execution of files one downloads or disabling macros on word documents you download and open would be a huge security win.

These attributes are destroyed by merely coping the file, and are on the filesystem, not the file. It's not like sending a file via email leaks where I downloaded it from.

For most users, this attribute, if we start actually using it, would massively protect, not hurt their security.

Paul



On Dec 7, 2017 8:09 AM, "Holger Levsen" <holger@layer-acht.org> wrote:
On Thu, Dec 07, 2017 at 05:58:31PM +0500, Andrey Rahmatullin wrote:
> On Thu, Dec 07, 2017 at 12:50:06PM +0000, Holger Levsen wrote:
> > > > Ah, damnit.  It supports *some* xattrs (like the security namespace),
> > > > but apparently not *user* xattrs.
> > > Good.  While xattrs have some uses, this is a hidden privacy hole most users
> > > aren't aware of
> >
> > could you be so kind to explain that hidden hole? that would maybe help
> > with more people being aware…
> When you download a file, its original location is saved and can be
> retrieved.

ah, so it's a privacy hole in certain tools, but not in xattr.

how about filing bugs for those issues then?


--
cheers,
        Holger
Reply to: