Comment 19 for bug 695437

Ari (ari-lp) wrote :

> I would say that :
> - an option need to be implemented to disable execute executable files by default
> - run in terminal need to be in second position for executable files

I think this would a great start, but I am still not convinced that executing scripts should be the default.

> I have to say that dangerous scripts may often need to be run as sudoer.

People often say this, especially in regards to malicious code, but to me a rogue script deleting my home directory and personal documents within sounds way more frigthening than any modification to system files could ever be.

> Its also as easy to run a script with zsh or bash accidently (even not as easy but still), many of them may handle that case.

It's true that navigating the terminal can be dangerous, but what we are talking about is a completely different issue altogether.

Most users will anticipate the dangers associated with the power of the CLI and act accordingly when they're in a terminal, carefully treading their way through whatever commands they might issue. It's quite the opposite when using a GUI: We have grown accustomed to having feedback and warnings for dangerous actions; for instance, most file managers will invoke a confirmation dialog when clicking on an executable file, asking the user if they really want to execute the script (opening it in a text editor being the default action, for good reasons!).

The current implementation goes completely against the expectations your average user has grown accustomed to while using other applications such as Nautilus, Thunar, Krunner or even the Unity dash. Not executing scripts by default in a GUI context is a standard UX practice. If you are going to change something like that you need to have some very good reasons – and I just don't see them here.

The number of people 'affected' by this issue on launchpad does not constitute a good metric to base decisions like these on. Most users will never visit this page, nor have the need for quick access to a script through a launcher. But if this stays the default, I can assure you that quite a lot of unsuspecting users _will_ come here complaining about unexplained behaviour, data loss, and whatever else might occur because of haphazard script executions – that is, if they ever come to realize that Synapse was at fault.

All it takes is just one badly programmed icon theme installation script.