On Wed, Nov 23, 2016 at 5:03 PM, Carlos Garnacho <carlosg@xxxxxxxxx> wrote: > There is nothing specific in Tracker *design* about opening files, at all. Tracker is a semantic database with a focus on local access/content, period. Your gripe happens to be against a certain implementation of these "miners" populating this database, and you keep mistaking the part with the whole. I'm objecting to whatever piece of software opens thoroughly untrusted files out of ~/Downloads and parses them. If that's not "Tracker", then I apologize. > > So, again, there is no justification to consider every other Tracker component just as insecure in this regard. > >> them with code that was never designed witg security in mind, is written in >> memory-unsafe languages, isn't sandboxed, and apparently loads plugins. > > * Memory-unsafe languages: Sure, the same memory-unsafe language your kernel is written in, or your pid 1, or your graphics server... Factoring out per-mimetype extraction specifics, tracker-extract is actually dead simple: 1) pick unprocessed file uri, 2) "extract metadata" black box, 3) send metadata to the tracker-store process via dbus. Do you really think the language of choice matters much here...? > > * not sandboxed: granted, as said flatpak integration is being planned. You're welcome to join! > > * loads plugins: Wrong, tracker-extract uses a very restricted set of modules, loaded from a very specific directory. One of them happens to use gstreamer (the de-facto media library on linux, you know), which as it turns out is *a lot* happier than tracker-extract at opening plugins. I tbh wonder why aren't we debating about the future of gstreamer1-plugins-bad, or why users of the gstreamer library can't whitelist the trusted modules to load. Firefox is a big piece of code that loads untrusted stuff. It's written in a memory-unsafe language, and there's a big team working on fixing that. It's not sandboxed, and there's a project to fix that. And it's still a major attack vector, but at least it has a very serious security team. The fact that flatpak integration is being planned is great. I hope that flatpak has an exceedingly strict mode for applications like this. Tracker is just as exposed as Firefox because it (or some piece of it or whatever) parses stuff in Downloads. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
