> Also, Windows ACLs come with an execute permission per user, group, or any other policy related object. It's enabled by default for executable files you're allowed to read, but there's absolutely nothing stopping you from making executables unexecutable.
That's the whole point that GP is raising: whether the execute bit is set by default, or not.
However personally I think the file itself should carry the information that it is meant to be executable (e.g. through a magic like shebang, an ELF/PE header, file extension, etc). Under UNIX-like OS's, it just creates pointless friction for users who are already certain that they do want to run the executable they just downloaded.
Quarantine is (at least conceptually) a better and more general mechanism than the execute permission, as files other than executables could also be considered dangerous (like an image file trying to pwn the decoder, or a local HTML file trying to access the network). The quarantine bit could tell the OS and/or application to highly distrust the content (e.g. run it in a sandbox that denies FS/network access).
That's the whole point that GP is raising: whether the execute bit is set by default, or not.
However personally I think the file itself should carry the information that it is meant to be executable (e.g. through a magic like shebang, an ELF/PE header, file extension, etc). Under UNIX-like OS's, it just creates pointless friction for users who are already certain that they do want to run the executable they just downloaded.
Quarantine is (at least conceptually) a better and more general mechanism than the execute permission, as files other than executables could also be considered dangerous (like an image file trying to pwn the decoder, or a local HTML file trying to access the network). The quarantine bit could tell the OS and/or application to highly distrust the content (e.g. run it in a sandbox that denies FS/network access).