[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main

On Thu, 2017-12-07 at 19:25 +0100, gregor herrmann wrote:
> On Thu, 07 Dec 2017 08:16:47 -0500, Paul R. Tagliamonte wrote:
> > Restricting the execution of files one downloads or disabling
> > macros on
> > word documents you download and open would be a huge security win.
> I'm skeptical, at least if this leads to more of the
> well-known-and-much-despised "Do you really want to …?" popups where
> almost everyone just looks for the "Gee, yes, leave me alone, stupid
> computer!" button.

Ok. Here's a real vulnerability.

Chrome auto-downloads files, GNOME tracker would then automatically
index the downloaded file, and gstreamer has some decoders that
implement some 8 bit CPUs that could be exploited.


Tracker should have a way to avoid indexing files that have been
downloaded at least from untrusted domains, and possibly all downloaded

But yes, we should have a way of indicating "trusted" domains, so users
get fewer annoying popups.

Bonus points if we could also have forbidden domains. Then your work VM
 could trust your work servers, and your personal VM should know it
should refuse them. (At least that's a mistake I feel I'm likely to


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: