On Tue, Jun 06, 2017 at 11:29:20PM +0200, Michael Biebl wrote: > Am 06.06.2017 um 15:55 schrieb Adam Borowski: > > gvfs: atril easytag thunar > > * BAD: gvfs is a major annoyance and a security hole > > "Annoys Adam Borowski" is not a very convincing argument.
For the first part, it indeed varies by use case. I don't recall ever using an USB or SD attached storage for "data" in an Unix machine, yet I have two SD readers, four cards and one USB stick on my desk right now despite having cleaned the desk a few days ago. It's just always a "disk" for some SoC or bootable media (d-i, etc). Some people may disagree. > As for "security hole", I'm not sure what exactly you have in mind there. > I don't see any open CVEs or bugs tagged with security against gvfs. I found a security hole in the vfat driver as an idiot kid ~20 years ago, before I even started using Linux myself. That particular filesystem is simplicistic enough to _possibly_ be exploitable bug free by now, but as a btrfs@vger regular, I hear about enough unintentional corruption caused failures that I see no way the filesystem could be secured against a malicious image without an extreme effort that would also destroy performance. And that's a maintained filesystem. We do, in our default kernel, ship drivers for so many obscure filesystems no one has used for years that I'm 100% certain you can find an arbitrary code execution bug triggerable by just mounting such an untrusted USB stick. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ A tit a day keeps the vet away. ⣾⠁⢰⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ (Rejoice as my small-animal-murder-machine got unbroken after ⠈⠳⣄⠀⠀⠀⠀ nearly two years of no catch!)
