Le 19/07/2017 à 16:59, Richard Heck a écrit :
On 07/19/2017 02:22 AM, Christian Ridderström wrote:
Hi,
When having tried to contribute to the discussion on needauth and
shell-escape I've felt that it's quite difficult to get a good picture
of things like:
- Goals of design, what are we trying to achieve
- Principle of design and system
- Assumed threat models, and perhaps list threat scenarios we _don't_
try to protect against
The e-mail threads are ... long, sometimes confusing and I suspect
contains at least a few misunderstandings. So I would like to ask
(not being optimistic), if there's some design description anywhere?
No, as usual, there is not. The needauth mechanism was developed by
Tommaso in response
to security worries about certain sorts of converters, e.g., the ones
for R and related worries
about the use of gnuplot. (It may have been the latter that got him
interested.) Once that was on
board, Enrico decided to employ at least a somewhat similar mechanism to
support minted.sty,
and for whatever reason, that set off alarm bells which, in retrospect,
should have gone off
earlier. So we find ourselves in the middle of things.
Richard
Yes Richard, (smaller) alarm bells could have gone off a month earlier
if I had paid attention to the gnuplot discussion. They went off when
Scott explicitly asked about extending the use of needauth, and it did
not seem to have changed the course of things.
For 2.3 Scott chose to ask "what can we do for LyX to be the safest?"
rather than the obvious solution to get beta out. I find it reasonable
and a worthwhile time investment.
Guillaume
