[arch-dev-public] Wine association, waht should we do?
Some users expressed concern in the capabilities of the Wine package to run .exe or autorun files by default, and sometimes this without asking permission from the user. This can be stopped, the solution can be taking this line: MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload; out of the wine.desktop file. And adding a message telling the user that in order to enable file association with wine the have to issue the following command as root: echo "MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;" >> /usr/share/applications/wine.desktop Thanks goes to trivialstuff for looking into this, I didn't had the time to. The discussion has been going on here: http://bbs.archlinux.org/viewtopic.php?id=54162 I will appreciate your suggestions guys. Thanks Eduardo "kensai" Romero
On Thu, Aug 28, 2008 at 5:05 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
Some users expressed concern in the capabilities of the Wine package to run .exe or autorun files by default, and sometimes this without asking permission from the user. This can be stopped, the solution can be taking this line: MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload; out of the wine.desktop file.
And adding a message telling the user that in order to enable file association with wine the have to issue the following command as root: echo "MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;" >> /usr/share/applications/wine.desktop
Thanks goes to trivialstuff for looking into this, I didn't had the time to.
The discussion has been going on here: http://bbs.archlinux.org/viewtopic.php?id=54162
I will appreciate your suggestions guys.
Thanks
Eduardo "kensai" Romero
umm as I understand a user still has to click the file for it to be executed via wine? I don't see any problem there. If someone is affraid to click a .exe file, then either they should remove the file association on their local machine or remove wine altogether (btw I seriously doubt that any virus will do harm when executed via wine (or has it become that good?)). I suggest to keep it as is (as was intended upstream), maybe adding a message saying what to do to disable the file association. Ronald
Ronald van Haren schrieb:
The discussion has been going on here: http://bbs.archlinux.org/viewtopic.php?id=54162
I will appreciate your suggestions guys.
Thanks
Eduardo "kensai" Romero
umm as I understand a user still has to click the file for it to be executed via wine? I don't see any problem there. If someone is affraid to click a .exe file, then either they should remove the file association on their local machine or remove wine altogether (btw I seriously doubt that any virus will do harm when executed via wine (or has it become that good?)). I suggest to keep it as is (as was intended upstream), maybe adding a message saying what to do to disable the file association.
Ronald
Agreed. And someone should probably point the paranoid poster to pacman's NoUpgrade option, so the .desktop file stays the way he wants it even after updates.
On Thu, 2008-08-28 at 17:19 +0200, Ronald van Haren wrote:
umm as I understand a user still has to click the file for it to be executed via wine? I don't see any problem there. If someone is affraid to click a .exe file, then either they should remove the file association on their local machine or remove wine altogether (btw I seriously doubt that any virus will do harm when executed via wine (or has it become that good?)). I suggest to keep it as is (as was intended upstream), maybe adding a message saying what to do to disable the file association.
Ronald
It does run viruses, this has been tested before, they don't do much harm though. And, autorun files are the thread since they don't require a click. And yes you are right, it was intended to be that way upstream.
On Thu, Aug 28, 2008 at 5:59 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
It does run viruses, this has been tested before, they don't do much harm though. so that is a non-issue if it does no harm.
And, autorun files are the thread since they don't require a click. And yes you are right, it was intended to be that way upstream.
this should depend on how you configured your wm/de. I've never seen any cd autorun by default on my desktop. As I see it, most WMs don't autorun cds by default. KDE can autorun cds, but by default it asks if it should autorun the cd, IIRC. Of course some others may autorun cds by default, I have no idea, but even in that case, it is the users responsibility what he sticks in his cd drive. If he legally buys his cds there should be no virus on it. Sure you can get a virus on a usb stick or so, but much depends what you do with these devices. Ronald
Whoa. I just want to make my opinion known that in NO WAY should we be modifying packages so that if users turn on an AutoRun the package doesn't run. You turn on some kind of AutoRun feature, you deal with the consequences. Not to mention the OP in the bbs thread linked has a use case that isn't normal for wine. Not normal in the "I don't want wine to run .exe' even though I just clicked on them" kinda way. I'm amazed this is even a discussion. // jeff -- . : [ + carpe diem totus tuus + ] : .
On Thu, 2008-08-28 at 13:01 -0400, Jeff Mickey wrote:
I'm amazed this is even a discussion.
// jeff I'm not, it is a matter of opinions, so don't be amazed.
Thanks all the others for the suggestions that helped. It will be known how to disable it, but we won't disable it. I just wanted to know if anyone else thought it was a security thread to have it that way. As I mentioned before, I didn't had much time to investigate this matter, that is why discussion was started. Case closed, won't fix, since it behaves as the package should behave. Thanks Eduardo "kensai" Romero
On 8/29/08, Jeff Mickey <jeff@archlinux.org> wrote:
Whoa.
I just want to make my opinion known that in NO WAY should we be modifying packages so that if users turn on an AutoRun the package doesn't run. You turn on some kind of AutoRun feature, you deal with the consequences. Not to mention the OP in the bbs thread linked has a use case that isn't normal for wine. Not normal in the "I don't want wine to run .exe' even though I just clicked on them" kinda way.
And just to clarify something... 1) KDE (not wine), just _alerted_ that there was an autorun available. So it's a KDE feature, not wine. 2) It only alerted that there's an autorun available (presumably checking for autorun.inf) but did not run it. You had to click OK to execute the autorun 3) It makes sense for wine to be bound to exe's. Exe's should be treated no different to any file type, as any file could possibly contain a danger. Don't click an exe you dont trust, like you wouldnt click a shell script or binary or any other file you don't trust the source. So just to get things straight, no executable/autoruns are run without asking the user first. There's no real "consequences" to speak of, unless you're silly enough to click OK for a disc you don't trust. And hey, it was kinda convenient.
On Fri, 2008-08-29 at 09:06 +1000, James Rayner wrote:
And just to clarify something... 1) KDE (not wine), just _alerted_ that there was an autorun available. So it's a KDE feature, not wine. 2) It only alerted that there's an autorun available (presumably checking for autorun.inf) but did not run it. You had to click OK to execute the autorun 3) It makes sense for wine to be bound to exe's. Exe's should be treated no different to any file type, as any file could possibly contain a danger. Don't click an exe you dont trust, like you wouldnt click a shell script or binary or any other file you don't trust the source.
So just to get things straight, no executable/autoruns are run without asking the user first. There's no real "consequences" to speak of, unless you're silly enough to click OK for a disc you don't trust.
And hey, it was kinda convenient.
Yeah, I kind of got that all, as I said for the 20th time, since I didn't had much time to research on the situation I brought it up here to see if developers thought it was a security thread. But we all know by now that it is not. Thanks for your message anyways.
On Thu, Aug 28, 2008 at 6:45 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
On Fri, 2008-08-29 at 09:06 +1000, James Rayner wrote:
And just to clarify something... 1) KDE (not wine), just _alerted_ that there was an autorun available. So it's a KDE feature, not wine. 2) It only alerted that there's an autorun available (presumably checking for autorun.inf) but did not run it. You had to click OK to execute the autorun 3) It makes sense for wine to be bound to exe's. Exe's should be treated no different to any file type, as any file could possibly contain a danger. Don't click an exe you dont trust, like you wouldnt click a shell script or binary or any other file you don't trust the source.
So just to get things straight, no executable/autoruns are run without asking the user first. There's no real "consequences" to speak of, unless you're silly enough to click OK for a disc you don't trust.
And hey, it was kinda convenient.
Yeah, I kind of got that all, as I said for the 20th time, since I didn't had much time to research on the situation I brought it up here to see if developers thought it was a security thread. But we all know by now that it is not. Thanks for your message anyways.
If anyone asks, tell them the real threat is PEBKAC!
participants (6)
-
Aaron Griffin
-
Eduardo Romero
-
James Rayner
-
Jeff Mickey
-
Ronald van Haren
-
Thomas Bächler