Red Hat Bugzilla – Bug 767978
remove/disable E: script-without-shebang /usr/share/applications/foo.desktop check
Last modified: 2011-12-15 17:43:32 EST
Per a recent package review:
kdf.x86_64: E: script-without-shebang /usr/share/applications/kde4/kdf.desktop
xdg specs (or at least common practice and conventional wisdom) now strongly encourages .desktop files to ship with executable bits as an additional security measure. For awhile now, at least all upstream core kde applications follow this practice and kdelibs enforces additional checks on .desktop files (in particular, those .desktop files found outside of usual search paths)
Given this, I'd recommend that rpmlint no longer issue warnings or errors pertaining to packages containing executable .desktop files
Does the xdg standard really say that .desktop files should be +x as a _security_ measure? What happens if you try to execute it? It has no interpreter!
Looking at the Desktop Entry Specification (http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-1.1.html), I can't see anything to back this up, nor can I figure out why it would be conventional wisdom or common practice to set the executable flag on a file that cannot execute.
It's not part of the spec, but is a common practice these days.
I'll see if I can dig up some mailing list references for some background.
here's the main thread I recall,
".desktop file security"
Hrm. It seems like a terrible idea, and a great way to try to exploit a system. While I'd prefer that this was standardized in the Desktop Entry Specification, it isn't explicitly forbidden. (Neither is wearing a .desktop file as pants, but I wouldn't recommend that either.)
The concept of taking a file format and making it executable when there is no reason to do so is completely flawed, IMHO.
But. I realize that the time for sanity in this discussion may have come and gone if it has been implemented in KDE already, so I'll just grumble and wave my cane of sanity at you from my front porch.
(In reply to comment #3)
That post lists three conditions, any of which is said to permit the launch. Two of three (root ownership, installed in system dirs) are already true for packaged apps, so I don't see why adding the executable bit would do any good.
Sure, kde adds X unconditionally, for folks installing kde trees outside of system dirs. I suppose it could be argued it should only do that conditionally in that case.
rpmlint-1.4-4.fc17 squelches the error on +x desktop files. If only it was so easy to squelch bad ideas on the internets. *sigh*
(In reply to comment #6)
> Sure, kde adds X unconditionally, for folks installing kde trees outside of
> system dirs. I suppose it could be argued it should only do that conditionally
> in that case.
...or if/as long as it doesn't, packagers (c|sh)ould just remove the x bits from where they're not needed.
I think KDE considers the other 2 conditions just compatibility hacks and would like ALL .desktop files to be marked executable.