I see a problem with this:
Den 06. nov. 2016 20:57, skrev Tommaso Cucinotta:
Converters marked with the new "needauth" option won't be run unless
the user gives explicit authorization, which is asked on-demand when
the converter is about to be run (question is not asked if the file is
cached and the converter is not needed).
The idea (to protect against misuses) is good! Unfortunately, I don't
think protection actually will be achieved this way. Also, getting
prompts/popups of any kind is annoying - (except for stuff I ask for
myself, such as the search/replace dialog.) When I start a
time-consuming job, I want to go for lunch and come back to a finished
job. Not a prompt telling me the time was wasted because I must make a
decision before anything more happens.
Protection will not be achieved in most cases, because users are used to
"clicking through various annoying popups without even reading them".
They want to print a document or something, they are not prepared to
make a security decision. The vast majority of writers aren't competent
to make such a decision either. They have no idea what converter is
about to run, or what the security implications are. If they got the
document in the mail, they may not know if the question is to be
expected because the co-author is using a special package, or if this is
likely to be a hacking attempt.
The exceptionally careful might try answering "no". When that doesn't
work, they answer "yes" the next time. From then on, the question is
nothing more than an annoyance - they will always answer "yes", and only
because they know it is necessary to get their work done. They won't be
contemplating security issues. You may avoid asking the question over
and over in a single LyX session, but it will come back the next time
they restart LyX and work on such a document.
It'd be nice if we could avoid this "stopping of the proceedings to ask
a question." That is bad enough in its own right, and even worse when
people can't be expected to give an answer based on knowledge. (The
answer will be based on convenience instead - the user want his pdf NOW.
Having LyX stop production to ask questions is only irritating.) A
security question is useful in cases where the user can be expected to
decide from knowledge. Otherwise, it is a waste of time.
How about solving the problem instead?
In some cases, this might mean working on the converter software, adding
a mode/parameter so it won't do anything "dangerous". Similiar to how
you can disable write18 in LaTeX. Only possible for open source though.
In the general case, make a script (or utility program) that runs the
dangerous converter in a chroot, where nothing dangerous can be done. No
need for questions then. LyX already puts the document files in a temp
directory so the cleanup after a latex run will be easier. chrooting
before running a converter means the converter can't overwrite files
outside the chroot, which helps quite a bit security-wise.
I hope future LyX won't be asking security questions most people can't
answer with any confidence. I might be able to answer such questions;
but only if I review the sw in question, which I certainly won't have
time for.
Helge Hafting
