Le 22/07/2017 à 00:47, Guenter Milde a écrit :
On 2017-07-19, Richard Heck wrote:
On 07/19/2017 01:48 AM, Christian Ridderström wrote:
On 18 July 2017 at 23:49, Jean-Marc Lasgouttes <lasgout...@lyx.org
<mailto:lasgout...@lyx.org>> wrote:
Le 18/07/2017 à 23:42, Christian Ridderström a écrit :
I think the default should be secure, and that the user should
have to do something actively to go into a dangerous mode.
Well, since you consider that turning off two options is not
active enough, I am not sure what to propose :)
The problem I see with only unchecking two check boxes are e.g.:
- Users uncheck settings all the time, it doesn't seem very "scary"
- In the settings dialog, the real implications of unchecking these
options
did not seem sufficiently clear to me.
So calling it "Allow yourself to be shot in the foot by converters"
would help;-)
- The setting is persistent, and easily forgotten
This, I believe, was part of what was addressed by Enrico's patch. Or
the idea behind it.
Enrico's patch did not touch "needauth" but has some nice features for
"shell-escape":
+1
it addressed the "set and forget" issue by
a) adding a red icon to the status bar if a document has the "allow
shell-escape" flag.
+1
b) revoking the permission, if the document is moved/copied to another
location.
I like the principle, but I wonder whether this will cause annoyances
for files on removable filesystems.
I like the approach, especially b) seems a good compromise between user
comfort and security.
From a user perspective, a common interface to "needauth" and "allow
shell escape" seems the best. "needauth" could actually take advantage of
Enrico's patch.
+1
Some ideas:
* Add "unsafe pdflatex" (== pdflatex --shell-escape) and "unsafe xelatex"
as new converters requiring "needauth".
* Allow per-converter permission settings (instead of one generic: "I
trust/don't trust all unsafe converters").
+1
* clicking the red icon should take you to the dialogue allowing to
revoke the unsafe permission.
+1
* Give users the possibility to check scripts before allowing to run them
with shell-escape or at least list all parts of the document that will be
allowed to run in unsafe mode
(e.g. all gnuplot scripts for "gnuplot allowed", all ERT, preamble,
document classes and packages for latex with shell escape).
I like the idea, though for shell-escape this becomes more complicated.
* I also like the error dialog when -shell-escape has been configured
without needauth, for legacy configurations. (The specific wording can
be discussed later on.)
* Like Jean-Marc, I would prefer if the -shell-escape option was not
hardcoded, but integrated with needauth and the full command-line
visible in the converters dialog in some way. For instance a new token
$$unsafe together with a per-converter checkbox to allow its replacement
by whatever unsafe option.
* One has to decide which suggestions are needed for 2.3 and which ones
can be implemented later.
On the negative side, the patch does not address the original issues:
* The limitations of needauth in the context of adding new converters
such as gnuplot (the patch is only about -shell-escape),
* Having to use -shell-escape for running Pygments.
I would also be more comfortable if somebody takes responsibility for
any patch that is to be committed, given that the author has said that
they do not endorse it.
Guillaume
