On Mon, Jul 17, 2017 at 12:10:31AM +0200, Christian Ridderström wrote: > On 16 July 2017 at 22:45, Jean-Marc Lasgouttes <lasgout...@lyx.org> wrote: > > > What I mean is that my absolute priority these days is to have 2.3.0 out. > > > Fully understood. > > > > The cleanups I proposed where chosen to have a minimal effect on release > > date. Anything that requires too much thinking is a bit too much for me. > > Currently minted and hyphen are blocking us, and we should work towards > > solving this (even though these are touchy subjects). > > > I just went through a large chunk of the minted postings and I still don't > have a clear idea about my preference, and I'm therefore not sure what to > write that'd contribute. > > I'm generally inclined towards security and backwards compatibility. > Perhaps it's because I experienced a directed attack at a previous > workplace. Or perhaps it's an occupational hazard from previously working > with satellite software as e.g. verification and validation manager. But > even for that SW we took into account if there was a urgent and necessary > need for e.g. intermediate release, assuming we had a realistic plan for > fixing issues in a coming release. > > For minted/hyphen, I'm e.g. not clear on the need for the features. The > minted thing seems more optional, whereas the hyphen thing seems like a > blocker. I haven't read the hyphen stuff yet, but my baseline is that I'd > really hate it if I wasn't able to compile documents I wrote a long time > ago. > > Security scenarios/threat models for minted could be expanded upon. I mean > that these days it's not just about me creating and editing my own > document, instead authors collaborate and share the documents via e-mail > and Dropbox etc. Theoretically some agency could intercept the document in > transit and inject malicious code that they hope you'll execute on your > computer. Further, you might not be the direct target and instead its > someone whose computer is on the same network as you. For instance, I've > seen research papers from a swedish defence research institute written in > LaTeX, or perhaps LyX, who knows. But if it was LyX then it could well be > worth it for an adversary (Russia..) to compromise that author's computer. > I'd better stop writing now.
Dear Christian, I see that the operated obfuscation of issues is working with you. At the moment, there is no security problem with minted. On the contrary there is a big question about security of features that were either present or recently introduced. Of course, it was the ability by which these questions were treated that lead you to think that the problem is minted, specifically, while it is not. ATM, in no way you can risk something if you decide to use minted. You would have to know what to change in the preferences for taking that risk. On the contrary, when using one of the above mentioned features, the risk is at the tip of a mouse click. So, please, stop with these FUD strategies (not directed at you, of course) aimed at producing these results, namely mudding the waters to confuse who don't have a clear view of the matter. -- Enrico
