12:38 <houkime> I found ipc standards for BGA courtyards a bit ridiculous and searched for an updated IPC-7351C... only to find this thread. https://www.pcblibraries.com/forum/ipc7351c-draft-or-release-date_topic1818_page1.html

12:41 <houkime> so from now i will be far more critical of ipc standards (mostly about their correspondence to current manufacturers capabilities) and employ common logic and metacollin's stuff where datasheets don't recommend anything in particular.

12:45 <houkime> Though strategically what i think should happen is that oshw community produce some exhaustive open guidelines on their own.

12:47 <houkime> just on the git server somewhere, so people can commit and compile from datasheets, experience and manufacturer data actual contemporary requirements for a PCB design.

12:47 <houkime> *producible PCB design.

12:53 <houkime> (the thread basically says that IPC is dead)

12:54 <houkime> (and is unlikely to update any time soon)

12:55 <Joerg-Neo900> >>i will be far more critical of ipc standards [...] employ common logic and metacollin's stuff<< :thumbsup: :-)

12:56 <Joerg-Neo900> you caught up with our internal discusion and conclusions/decisions

15:11 <sixwheeledbeast> https://it.slashdot.org/story/19/08/10/2257259/remember-autoruninf-malware-in-windows-turns-out-kde-offers-something-similar

15:33 <Joerg-Neo900> yeah, $() escape exploit in filename of icon

15:33 <Joerg-Neo900> in .desktop

15:34 <Joerg-Neo900> I already argues with some other hackers yesterday, and finally stand corrected as this would have hit me if I opened any arbitrary dir with konqueror

15:35 <Joerg-Neo900> writing a .desktop to ~/Desktop is for sure sth you should try to NOT do when source is shady

15:36 <Joerg-Neo900> but even extracting a shady origin tarbal into /tmp/foobar/ would hit you if you open /tmp/foobar/ with konqueror then

15:40 <Joerg-Neo900> >>the researcher says the vulnerability can be used to place shell commands inside the standard "Icon" entries found in .desktop and .directory files<<

15:40 <Joerg-Neo900> icon=$(rm -rf /) somesuch

15:41 <Joerg-Neo900> details at https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

15:41 <Joerg-Neo900> [Desktop Entry]

15:41 <Joerg-Neo900> Type=Directory

15:42 <Joerg-Neo900> Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)

15:44 <Joerg-Neo900> nifty use of $IFS

16:25 <Joerg-Neo900> Remediation:

16:25 <Joerg-Neo900> Disable shell expansion / dynamic entries for [Desktop Entry] configurations.

16:26 <Joerg-Neo900> MY remediation: *sign* .desktop files with your local PK and expand only files that gave valid signature

16:26 <Joerg-Neo900> have, even

16:28 <Joerg-Neo900> if expansion detected in an unsigned .desktop file: Rise BIG FAT WARNING requester wit options "DONT EXPAND" "EXPAND ONCE" and "SIGN AND EXPAND ALWAYS"

16:29 <Joerg-Neo900> of course requester will show the suspicious line "of code" in .desktop

16:29 <Joerg-Neo900> and a 4th option should be "open in $EDITOR"

16:30 <Joerg-Neo900> in my book *this* is the canonical way to handle such stuff

16:30 <Joerg-Neo900> not feature neutering

16:31 <Joerg-Neo900> which always is a lazy idiot's option to deal with such problems

16:31 <Joerg-Neo900> you got no idea at all how many users out ther4e depend on this feature