On 21 July 2017 at 22:12, Scott Kostyshak <skost...@lyx.org> wrote:
> On Tue, Jul 18, 2017 at 11:21:38AM +0200, Jean-Marc Lasgouttes wrote:
>> Le 18/07/2017 à 09:07, Scott Kostyshak a écrit :
>> > I was thinking about it from a different angle. I was only focused on
>> > what I thought was most secure, without even considering usability. As I
>> > mentioned in the thread asking for votes, I believe that we should focus
>> > completely on what is the most secure.
>>
>> Well, what is the most secure is to remove all sweave/gnuplot/minted code.
>> There is no point in looking at security without usability IMO.
>
> I see what you mean and I think most people would agree with your
> interpretation. I was taking the approach more of "under which proposal
> is the user least likely to run malicious code". In your scenario (let's
> remove all sweave/gnuplot/minted code), well sweave users would just
> never upgrade LyX and would lose any security-related improvements and
> would not have any of the protection that needauth provides. For minted
> users, they would have to do the '-shell-escape' dance and would have
> the risk of forgetting that they left a converter permanently changed.
> This is what I mean by "less secure". But I know that I'm thinking about
> things differently from others. I can understand the other perspective
> of security of "if a user uses only built-in LyX with no customizations,
> then they would be less likely to run malicious code". I just think the
> "if" in that statement is concerning.

I think Scott is partly verging towards the topic of types of users
and user scenarios.
IMHO these aspects are quite important factors when discussing
features, security, UI and what to include in a software.

What kind of user was I, perhaps the archetypical LyX user:
- Started using LyX while working on my PhD (back in 1997 or so, in
case it matters)
- Did not know LaTeX in advance, thought it might make sense with a
graphical frontend.
- Wrote articles etc in LyX, learned some LaTeX on the way, put stuff
in preamble and some ERT.
- Only added some converters to include TGIF images or something like that.
- Besides LaTeX, I never embedded code in the LyX document
- This user googles to find solutions.
- A more advanced version of this user might start asking question on
the users' list.
- LyX worked really well for what I was doing.


Another kind of user could be the "the supervisor/reviewer".
- The student has a supervisor or colleague that he'd like to review his work
- Only minor editing is expected of the reviewer, perhaps adding comments,
  perhaps fixing an error.
Note: My supervisor got printouts back then IIRC.

Related is the use case is when two or more people closely collaborate
on a document.
Perhaps they use version control to work on the same LyX document.
Or keep it on a network drive. Or on e.g. Dropbox. Doing this adds
requirements on LyX.


More advanced user:
- LyX is used to build the main document, perhaps there are child documents.
- Perhaps exporting/publishing to multiple different formats.
- The document pulls in information from external files, e.g.
.tex-files with data.
- However, .tex-files are updated externally to the use of LyX,
  so the user has to manage dependencies etc.

Then we have the kind of user for whom I don't have a name, nor know well:
- Includes LyX deeply in his work flow
- Embeds code to be executed, perhaps repeatedly, in his document
- Using LyX as an IDE to develop his "program"
- ?

Non-user:
- Like my girlfriend, who likes writing in LaTeX
- I tried to get her to use LyX but it didn't take
   - she e.g. didn't like having to go through the menus all the time
     she would've preferred being able to use the keyboard all the time.
     So using plain LaTeX was "easier".
- At some point I should get more details on this.

Perhaps there's more kinds of users?

Anyway, the connection with security and shell-escape etc is that only
one of these kinds of users would likely actually need to use
shell-escape, and that user is probably more capable. OTOH, maybe we
_want_ to make LyX a tool where using e.g. R from within LyX is a
really good experience.

If these categories are reasonable, it'd be interesting to know the
distribution of users.
/Christian

PS. These days I find myself writing work notes in Emacs' org-mode a
lot of the time, why?
- Speed. It's quicker to type/edit in LaTeX.
  Perhaps because LyX's keyboard isn't working so well for me on my
mac with a Swedish keyboard.
- I typically don't need so many formulas. Org-mode is fine for a few
formulas, including images.
- Sometimes I even embed executable code (MATLAB) in my org-mode file.
- Often I don't need pretty output.
- Very convenient with text-based files that work well with version control.
- Perhaps also related that I had to go through five years or so where
I was forced
  to write in Word, and it left me damaged.

Reply via email to