<hyperfekt>
that seems like a problem in how xattrs are treated, really
<pie_>
i mean...it seems sensible
<pie_>
just...
<pie_>
not very visible for starters
pastbytes has quit [Quit: Leaving]
v0idify has quit [Ping timeout: 268 seconds]
v0idify has joined #spectrum
nicoo has quit [Ping timeout: 268 seconds]
nicoo has joined #spectrum
moonloo has quit [Ping timeout: 240 seconds]
cole-h has quit [Ping timeout: 245 seconds]
jpds_ has joined #spectrum
jpds has quit [Remote host closed the connection]
jpds_ is now known as jpds
<V>
pie_: I honestly find those very useful
<V>
I can see why people would dislike them, and they're definitely something to take into consideration when transferring files between isolation boundaries
cole-h has joined #spectrum
zgrep has quit [Quit: It's a quitter's world.]
zgrep has joined #spectrum
edadqr_ has quit [Remote host closed the connection]
edadqr_ has joined #spectrum
moonloo has joined #spectrum
<samueldr>
the intent was that the user-facing software could show a warning "this file comes from origin XXXX, do you trust it?" when executing it
<samueldr>
but I don't think anything really ended-up doing that
<v0idify>
origin doesn't really matter ex. github redirects to a weird origin from aws/s3 to download files
<v0idify>
signed files would be a better measure but then you need CA and shit and it doesn't really work
<v0idify>
(see: windows malware being signed just fine)
<v0idify>
and it just annoys many devs who just want to have a program work without paying :P
pastbytes has joined #spectrum
<samueldr>
it's an additional layer, and origin may not be strictly the original URL, but maybe the page the "click event" happend on
<samueldr>
I know other operating systems once tracked that info, if they still don't e.g. macOS, windows