I've never worked directly with portals / XDG / MIME, however, I
assume that Flatpak/Freedesktop can collaborate together, and
figure out a solution that involves a MIME whitelist. I don't know
how easy or hard this solution would be, however, at the very
least, it is a simple way for those parties to take responsibility,
and to address the *root issue,* so that the burden of finding
every single application that happens to execute something via
MIME, *does not* fall onto Linux distributions like Fedora.

  This is bad security architecture through and through. I'd rather
see the root problem addressed, than have various small symptoms be
patched over, and be blamed as the problem. These symptoms will
continue popping up, until the root problem is fixed.


Sent with Proton Mail secure email.

On Wednesday, July 8th, 2026 at 10:28, Michael Catanzaro via devel 
<[email protected]> wrote:

> I don't necessarily disagree, but there is a reason why it is this way. 
> Consider:
> 
> On Wed, Jul 8, 2026 at 1:32 PM, Daniel P. Berrangé wrote:
> 
> > -- 
> > |: https://berrange.com ~~  https://hachyderm.io/@berrange :|
> > |: https://libvirt.org ~~  https://entangle-photo.org :|
> > |: https://pixelfed.art/berrange ~~  https://fstop138.berrange.com :|
> > 
> > -- 
> > _______________________________________________
> > devel mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/[email protected]
> > Do not reply to spam, report it: 
> > https://forge.fedoraproject.org/infra/tickets/issues/new
> 
> 
> Yes, I just quoted only the footer of your mail. Look at all those 
> hyperlinks. What happens when you click on the link? Assuming your email 
> client is running under Flatpak, then currently it opens in a web browser. 
> But if we change the OpenURI portal to display UI, then you'll instead see a 
> dialog prompting you to select an application in which to open the link. And 
> now the user is likely pretty annoyed, because users like to click on links. 
> Lots and lots of links. Who doesn't? So we have to consider the trade-off 
> between quality user experience vs. risk of messing up by installing a risky 
> desktop file.
> 
> Of course there are possible middle ground solutions. We could choose to 
> allowlist http:// and https:// URLs, and possibly even mailto: and tel:, on 
> the assumption that these are very likely safe. But confusingly, the OpenURI 
> portal handles not just URLs, but also files. Any desktop file that can 
> handle MIME types is implicated. So download an image in your web browser and 
> click on it: do you want it to open in your image viewer (probably?) or do 
> you want to see some sort of security prompt?
> 
> Sebastien's argument that this is unsafe even with Flatpak out of the picture 
> seems pretty persuasive.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to