The FreeDesktop.org Trash specification

Written by Mikhail Ramendik <mr@ramendik.ru>

Content by David Faure <dfaure@trolltech.com>, Alexander Larsson <alexl@redhat.com> and others on the FreeDesktop.org mailing list

Version 0.2

Abstract

The purpose of this Specification is to provide a common way in which all “Trash can” implementations should store, list, and undelete trashed files. By complying with this Specification, various Trash implementations will be able to work with the same devices and use the same Trash storage. For example, if one implementation sends a file into the Trash can, another will be able to list it, undelete it, or clear it from the Trash.

Introduction

An ability to recover accidentally deleted files has become the de facto standard for today's desktop user experience.

Users do not expect that anything they delete is permanently gone. Instead, they are used to a “Trash can” metaphor. A deleted document ends up in a “Trash can”, and stays there at least for some time – until the can is manually or automatically cleaned.

This system has its own problems. Notably, cleaning disk space becomes a two-step operation – delete files and empty trash; this can lead to confusion for inexperienced users (“what's taking up my space?!”). Also, it is not easy to adapt the system to a multiuser environment. Besides, there is a potential for abuse by uneducated users – anecdotal evidence says they sometimes store important documents in the Trash can, and lose them when it gets cleaned!

However, the benefits of this system are so great, and the user expectation for it so high, that it definitely should be implemented on a free desktop system. And in fact, several implementations already exist – some as command line utilities, some as preloaded libraries, and some as parts of major desktop environments. For example, both Gnome and KDE have their own trash mechanisms.

This Specification is to provide a common way in which all Trash can implementations should store trashed files. By complying with this Specification, various Trash implementations will be able to work with the same devices and use the same Trash storage.

This is important, at least, for shared network resources, removable devices, and in cases when different implementations are used on the same machine at different moments (i.e. some users prefer Gnome, others prefer KDE, and yet others are command-line fans).

Scope and limitations

This Specification only describes the Trash storage. It does not limit the ways in which the actual implementations should operate, as long as they use the same Trash storage. Command line utilities, desktop-integrated solutions and preloaded libraries can work with this specification. 1

This Specification is geared towards the Unix file system tree approach. However, with slight modifications, it can easily be used with another kind of file system tree (for example, with drive letters).

A multi-user environment, where users have specific alphanumeric names, is essential for this Specification.

File systems and logon systems can be case-sensitive or non-case-sensitive; therefore, systems should generally not allow user names that differ only in case.

Definitions

Trash, or Trash can – the storage of files that were trashed (“deleted”) by the user. These files can be listed, undeleted, or cleaned from the trash can.

Trashing – a “delete” operation in which files are transferred into the Trash can.

Erasing – an operation in which files (possibly already in the Trash can) are removed (unlinked) from the file system. An erased file is generally considered to be non-recoverable; the space used by this file is freed. [A “shredding” operation, physically overwriting the data, may or may not accompany an erasing operation; the question of shredding is beyond the scope of this document].

Original location – the name and location that a file (currently in the trash) had prior to getting trashed.

Original filename – the name that a file (currently in the trash) had prior to getting trashed.

Top directory – the directory where a file system is mounted. “/” is the top directory for the root file system, but not for the other mounted file systems. For example, separate FSes can be mounted on “/home”, “/mnt/flash”, etc. In this text, the designation “$topdir” is used for “any top directory”.

Home directory – the “home” directory for a user; the user generally stores personal fines in this folder. Also known as $HOME. In Unix-like systems, home directories are usually located under the /home or /usr/home tree .

Trash directory – a directory where trashed files, as well as the information on their original name/location and time of trashing, are stored. There may be several trash directories on one system; this Specification defines their location and contents. In this text, the designation “$trash” is used for “any trash directory”.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Trash directories

A system can have one or more trash directories. The contents of any trash directory are to be compliant with the same standard, described below.

For every user2 a $HOME/.Trash directory MUST be available3. It should function as the user's Trash directory. Files that the user trashes from the home directory, and from other directories on the same file system (device/partition), should be stored here (see the next section for the storage details). $HOME/.Trash SHOULD be automatically created for new user. If this directory is needed for a trashing operation but does not exist, the implementation SHOULD automatically create it, without any warnings or delays.

The implementation MAY also support trashing files from the rest of the system (including other partitions, shared network resources, and removable devices) into $HOME/.Trash . This is a “failsafe” method: trashing works for all file locations, the user can not fill up any space except the home directory, and as other users generally do not have access to it, no security issues arise.

However, this solution leads to costly file copying (between partitions, over the network, from a removable device, etc.) A delay instead of a quick “delete” operation can be unpleasant to users.

An implementation may choose not to support trashing in some of these cases (notably on network resources and removable devices). This is what some well known operating systems do.

It may also choose to create .Trash directories in Top directories of some mounted file systems. How these directories are created (by the system administrator, a daemon, etc.) is determined by the implementation.

Such .Trash directories are not in themselves trash storage directories; this would break multi-user support. Instead, an $topdir/.Trash directory can contain any number of subdirectories, named for users that perform trashing operations; i.e. $topdir/.Trash/user . Each of these is a trash storage directory, containing the files trashed by this user. (See the next section for the storage details).

Note that an implementation MAY choose to support or not support trashing into $topdir/.Trash/user. If it does support it, it SHOULD make it a configuration option, so that the administrator can disable it for any or all mount points for security reasons (and use $HOME/.Trash or no trashing at all).

However, if a .Trash directory does exist in any top directory, an implementation MUST be able to list and undelete files that are in the current user's subdirectory within it.

The use of $topdir/$Trash can lead to some peculiar issues. These are discussed in the “Implementation notes” section, at the end of this document.

Contents of a trash directory

The previous section has described the location of trash directories. This section concerns the contents of any trash directory (including $HOME/.Trash). This trash directory will be named “$trash” here.

A trash directory contains two subdirectories, named info and files.

The $trash/files directory contains the files and directories that were trashed. When a file or directory is trashed, it MUST be moved into this directory4 . The names of files in this directory are to be determined by the implementation; the only limitation is that they must be unique within the directory. Even if a file with the same name and location gets trashed many times, each subsequent trashing must not overwrite a previous copy. The access rights, access time and modification time for a file/directory in $trash/files SHOULD be the same as the file/directory had before getting trashed.

IMPORTANT NOTE. While an implementation may choose to base filenames in the $trash/files directory on the original filenames, this is never to be taken for granted5. A filename in the $trash/files directory MUST NEVER be used to recover the original filename; use the info file (see below) for that. (If an info file corresponding to a file/directory in $trash/files is not available, this is an emergency case, and MUST be clearly presented as such to the user or to the system administrator).

The $trash/info directory contains an “information file” for every file and directory in $trash/files. This file MUST have exactly the same name as the file or directory in $trash/files. The contents of this file are:

original_location\n
trashing_time\n

Where:

YYYY-MM-DDThh:mm:ssZ

Note that $trash/info has no subdirectories. For a directory in $trash/files, only an information file for its own name is needed. This is because, when a subdirectory gets trashed, it must be moved to $trash/files with its entire contents. The names of the files and directories within the directory MUST NOT be altered; the implementation also SHOULD preserve the access and modification time for them.

Implementation notes

[This section will contain notes on implementing all the basic operations: trashing a file/directory, listing trash contents, undeleting a file/directory, and emptying the trash. In particular, it will describe the peculiarities of implementing the $topdir/.Trash/user solution. I plan to write this section later, to include the feedback in the FreeDesktop.org mailing list]

Administrativia

Status of this document

This document is, at this moment, only a draft. It will hopefully become an official or semi-official FreeDesktop.org specification in the future.

Date of first public distribution: August 30, 2004. This document will serve as evidence of prior art for any patent filed after this date.

License

Use and disribute as you wish. If you make a modified version and redistribute it, (a) keep the name of the author and contributors somewhere, and (b) indicate that this is a modified version.

Implementation under any license at all is explicitly allowed.

Location

http://www.ramendik.ru/docs/trashspec.html . If this document gets hosted by FreeDesktop.org, a link to the page will still be available at this location.

http://www.ramendik.ru/docs/trashspec.0.2.html is the permanent location of this version.

Version history

0.1 “First try”, August 30, 2004. Initial draft. “Implementation notes” not written as yet.

0.2 August 30, 2004. Updated with feedback by Alexander Larsson <alexl@redhat.com> and by Dave Cridland <dave@cridland.net>



1However, developers of preloaded libraries should somehow work around the case when a desktop environment also supporting the Trash specification is run on top of them. “Double trashing” and “trashing of the trash” should be avoided.

2To be more precise, for every user who can use the trash facility. In general, all human users, and possibly some “robotic” ones like ftp, should be able to use the trash facility.

3Note the dot in the beginning, and for case sensitive file systems, note the case.

4“$trash/files/”, not into “$trash/” as in many existing implementations!

5At least because another implementation might trash files into the same trash directory