Re: qt4/Makefile.am patch from #10711

Le 26/06/2017 à 01:47, Scott Kostyshak a écrit : Does anyone feel comfortable pushing the patch recently posted at the following trac issue? https://www.lyx.org/trac/ticket/10711 I did that now. I think we can backport it too. JMarc

Re: Can shell-escape take advantage of needauth framework?

Hi Scott, Le 25/06/2017 à 22:41, Scott Kostyshak a écrit : Judging by the comments of gpoore, we do not want to wait for this for 2.3.0. But this does affect the discussion of what to do for 2.3.0, since we might not want to introduce a workflow in 2.3.0 that we will change soon after. I

Re: Integrate Pdfium

Le 27/06/2017 à 11:26, Tim Hutt a écrit : After having Lyx on OSX fail to load PDF previews for the Nth time the thought occurs that relying on third party command line tools like ImageMagick and Ghostscript, or even sips (which I believe is the 'fix') is horribly fragile and there is a better

Re: trac login link does not use https by default

On Mon, Jun 26, 2017 at 10:32:29AM +0200, Jean-Marc Lasgouttes wrote: > Le 25/06/2017 à 22:23, Scott Kostyshak a écrit : > > To reproduce, go to: > > > > http://www.lyx.org/trac > > > > Then click on "login". The connection for entering your login and > > password is not secure. > > > >

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jun 27, 2017 at 03:33:12PM +0200, Guillaume MM wrote: > Hi Scott, > > Le 25/06/2017 à 22:41, Scott Kostyshak a écrit : > > > > Judging by the comments of gpoore, we do not want to wait for this for > > 2.3.0. But this does affect the discussion of what to do for 2.3.0, > > since we might

Re: allowing anonymous contributions to LyX's source code?

On Mon, Jun 26, 2017 at 02:16:26PM -0400, Richard Heck wrote: > On 06/26/2017 11:40 AM, Christian Ridderström wrote: > > > > On 26 June 2017 at 10:31, Jean-Marc Lasgouttes > > wrote: > > > > From time to time, we receive patches from people

Re: Minted example not displaying in pdf anymore

On Tue, Jun 27, 2017 at 01:35:19AM +0200, Kornel Benko wrote: > Am Montag, 26. Juni 2017 um 23:46:32, schrieb Enrico Forestieri > > > On Mon, Jun 26, 2017 at 01:51:08AM +0200, Enrico Forestieri wrote: > > > On Sun, Jun 25, 2017 at 04:24:18PM -0400, Scott Kostyshak wrote: > > > >

Re: allowing anonymous contributions to LyX's source code?

On Tue, Jun 27, 2017 at 1:00 PM, Scott Kostyshak wrote: > > Does anyone disagree with this policy? Should they send their email to > one/two LyX developers or to develop...@lyx.org? I would recommend develop...@lyx.org to avoid pie truck incidents or developer internal

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jun 27, 2017 at 03:00:37PM -0400, Scott Kostyshak wrote: > On Tue, Jun 27, 2017 at 03:33:12PM +0200, Guillaume MM wrote: > > > > I find that the enhancement request came in a bit late in the 2.3 > > release process for such a sensitive issue, and that 2.3 already > > improves the

Re: allowing anonymous contributions to LyX's source code?

The list is closed to outsiders indeed. We could open it, but we do not want it to be used as another lyx-devel. I think that the developer that received the information can forward the information to develop...@lyx.org if needed. I am not convinced though that there is a pressing need to carve

Re: allowing anonymous contributions to LyX's source code?

Scott Kostyshak wrote: > I would like to clarify this in the Development.lyx manual. Does anyone > disagree with the following policy? > > If a contributor of a patch would like to remain anonymous, our > policy is that they can reveal their identity privately to a LyX > developer.

Re: Can shell-escape take advantage of needauth framework?

On 20/06/2017 02:43, Guillaume MM wrote: One must look at the big picture and see that adding an authorization mechanism for arbitrary execution of commands is absurd when its sole purpose is to call an external tool from within LaTeX. needauth was a urgently needed mitigation of the security

searching lyx stuff on Google

Hi, I was sure we had a wiki page on lyx.org about security issues and the need for hardening LyX against potential misuse, due to the risks in running external tools, write18{}, shell-escape, gnuplot / R / knitr et al., but perhaps I can't really remember. However, I struggled in finding

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jun 27, 2017 at 11:45:56PM +0200, Tommaso Cucinotta wrote: > On 20/06/2017 02:43, Guillaume MM wrote: > > One must look at the > > big picture and see that adding an authorization mechanism for arbitrary > > execution of commands is absurd when its sole purpose is to call an > > external

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jun 27, 2017 at 03:00:37PM -0400, Scott Kostyshak wrote: > On Tue, Jun 27, 2017 at 03:33:12PM +0200, Guillaume MM wrote: > > > > I find that the enhancement request came in a bit late in the 2.3 > > release process for such a sensitive issue, and that 2.3 already > > improves the situation

Re: Can shell-escape take advantage of needauth framework?

On 28/06/2017 00:02, Enrico Forestieri wrote: ...and those converters can execute arbitrary commands, just to be sure, I just double-checked that on current trunk, without any settings in one's ~/.lyx/, the default behavior will be "Forbid use of needauth converters", so any of those

Re: Can shell-escape take advantage of needauth framework?

On Wed, Jun 28, 2017 at 12:25:58AM +0200, Tommaso Cucinotta wrote: > On 28/06/2017 00:02, Enrico Forestieri wrote: > > ...and those converters can execute > > arbitrary commands, > > just to be sure, I just double-checked that on current trunk, without any > settings in one's ~/.lyx/, the default

Trac login design is broken.

1. Try to login with my usual username & password system. 2. Fails 3. Hmm I guess I forgot my password. 4. Enter username and email into the "Forgot my password" page. "The email and username do not match a known account." Ok what. That's stupid. You should only need the email address to reset

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jun 27, 2017 at 03:33:12PM +0200, Guillaume MM wrote: > > I find that the enhancement request came in a bit late in the 2.3 > release process for such a sensitive issue, and that 2.3 already > improves the situation with the needauth mechanism. So, if we conclude > that an implementation

Re: Trac login design is broken.

Am Dienstag, 27. Juni 2017 um 10:19:45, schrieb Tim Hutt > 1. Try to login with my usual username & password system. > 2. Fails > 3. Hmm I guess I forgot my password. > 4. Enter username and email into the "Forgot my password" page. > > "The email and username do not match a

Integrate Pdfium

After having Lyx on OSX fail to load PDF previews for the Nth time the thought occurs that relying on third party command line tools like ImageMagick and Ghostscript, or even sips (which I believe is the 'fix') is horribly fragile and there is a better way. Why not integrate Pdfium into Lyx? It's

Re: allowing anonymous contributions to LyX's source code?

On 06/27/2017 08:36 PM, Scott Kostyshak wrote: > On Tue, Jun 27, 2017 at 11:41:55PM +0200, Pavel Sanda wrote: >> Scott Kostyshak wrote: >>> I would like to clarify this in the Development.lyx manual. Does anyone >>> disagree with the following policy? >>> >>> If a contributor of a patch would

Re: allowing anonymous contributions to LyX's source code?

On Tue, Jun 27, 2017 at 7:24 PM, Richard Heck wrote: > > It's come up more than once, so I think it's worth writing down what > we've decided. Obviously, we can revisit the issue any time we like. But > we won't have to re-discuss it every time. This is why I'd like to see the

Re: allowing anonymous contributions to LyX's source code?

On Tue, Jun 27, 2017 at 11:36:27PM +0200, Jean-Marc Lasgouttes wrote: > I think that the developer that received the information can forward the > information to develop...@lyx.org if needed. This makes sense. > I am not convinced though that there is a pressing need to carve these things >

Re: allowing anonymous contributions to LyX's source code?

On Tue, Jun 27, 2017 at 11:41:55PM +0200, Pavel Sanda wrote: > Scott Kostyshak wrote: > > I would like to clarify this in the Development.lyx manual. Does anyone > > disagree with the following policy? > > > > If a contributor of a patch would like to remain anonymous, our > > policy is