Re: Can shell-escape take advantage of needauth framework?

On Mon, Jul 17, 2017 at 07:14:07AM +0200, Guillaume MM wrote: > Le 05/07/2017 à 06:54, Scott Kostyshak a écrit : > > On Wed, Jun 28, 2017 at 02:37:41PM +0200, Guillaume MM wrote: > > > Le 27/06/2017 à 21:00, Scott Kostyshak a écrit : > > > > > > > > Where I > > > > think there is disagreement is

Re: Can shell-escape take advantage of needauth framework?

On Mon, Jul 17, 2017 at 06:55:14AM +0200, Guillaume MM wrote: > Hi Scott, > > Sorry for the delay. I was very busy over the past > two weeks. No problem. > Le 05/07/2017 à 06:54, Scott Kostyshak a écrit : > > On Wed, Jun 28, 2017 at 02:36:49PM +0200, Guillaume MM wrote: > > > Le 27/06/2017 à

Re: Can shell-escape take advantage of needauth framework?

On Mon, Jul 17, 2017 at 02:14:39PM +0200, Enrico Forestieri wrote: > On Mon, Jul 17, 2017 at 07:14:07AM +0200, Guillaume MM wrote: > > > > But besides that I agree with your suggestions. Thanks again for > > spending your time looking into this issue with so much care. > > Yes, it seems that

Re: Different LaTeX output when exporting than when previewing

On 2017-07-03, Scott Kostyshak wrote: > On Mon, Jul 03, 2017 at 03:02:31PM +0200, Jean-Marc Lasgouttes wrote: >> Le 29/05/2017 à 18:06, Scott Kostyshak a écrit : >> > If I do the above several times, I eventually get: >> > 3c3 >> > < >> >

Re: [LyX/master] Preferences shows current zoom instead of preference's default zoom (#10455)

On Sun, May 07, 2017 at 02:18:41PM +0200, Guillaume MM wrote: > commit 4183a9f4dc9bc0893fc59cd7e31db9bc7e52eea9 > Author: Daniel Ramöller > Date: Sat Oct 29 10:28:34 2016 +0200 > > Preferences shows current zoom instead of preference's default zoom > (#10455) > > -

Re: Can shell-escape take advantage of needauth framework?

On Tue, Jul 18, 2017 at 03:06:57AM -0400, Scott Kostyshak wrote: > On Mon, Jul 17, 2017 at 02:14:39PM +0200, Enrico Forestieri wrote: > > On Mon, Jul 17, 2017 at 07:14:07AM +0200, Guillaume MM wrote: > > > > > > But besides that I agree with your suggestions. Thanks again for > > > spending your

Re: Options for resolving the minted + shell-escape issue

On Sun, Jul 16, 2017 at 11:21:16PM +0200, Enrico Forestieri wrote: > Look, some people doesn't want to use listings and prefer minted. > External templates and modules for using minted have been proposed. > Thus, minted is used and people know how to deal with it. Now they > don't have to use ERT

Re: [LyX/master] Update fr.po for beta

On Mon, Jul 17, 2017 at 03:19:56PM +0200, Pavel Sanda wrote: > Jean-Marc Lasgouttes wrote: > > Le 16/07/2017 ? 20:53, Scott Kostyshak a écrit : > >> I don't have svn commit privileges. Also, I don't actually know how to > >> use svn. > > > > Do you want svn privileges? Do you want to learn some

Re: Cleanup before 2.3.0?

On Mon, Jul 17, 2017 at 12:10:31AM +0200, Christian Ridderström wrote: > I just went through a large chunk of the minted postings and I still don't > have a clear idea about my preference, and I'm therefore not sure what to > write that'd contribute. > > I'm generally inclined towards security

Re: Cleanup before 2.3.0?

On Mon, Jul 17, 2017 at 12:48:34AM +0200, Enrico Forestieri wrote: > ATM, in no way you can risk > something if you decide to use minted. You would have to know what to > change in the preferences for taking that risk. On the contrary, when > using one of the above mentioned features, the risk is

Re: Silent/automatic execution of converter and needauth, concrete questions to clarify my understanding

On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote: > A) In LyX 2.2.x, if I open the document, no "converters" are executed. But > when I attempt to generate the PDF, the document could via e.g. 'R' execute > arbitrary code on my computer, as if it were my user account. And

Re: Cleanup before 2.3.0?

On 2017-07-15, Christian Ridderström wrote: > On 7 July 2017 at 04:37, Scott Kostyshak wrote: >> > What do others think? >> ^ If you get support from other LyX devs, and you are willing to take >> care of everything, then I'm fine with it. My only other criterion is >> that I

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 09:07, Scott Kostyshak a écrit : Once it is in, then it has to be supported forever, I believe there is an agreement about this. I wouldn't say this in absolute terms, but I would agree that there's lots of hesitation before removing a feature, and that hesitation only

Re: [LyX/master] Add some notes on forward/reverse search with evince.

Am Montag, den 17.07.2017, 19:35 +0200 schrieb Jürgen Spitzmüller: > No copyright issues. The scripts are GPL-licensed. And they are > written > in Python ;-) Except for one (a bash script). But it would be easy to rewrite this one in python as well. Jürgen signature.asc Description: This is a

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 09:07, Scott Kostyshak a écrit : I was thinking about it from a different angle. I was only focused on what I thought was most secure, without even considering usability. As I mentioned in the thread asking for votes, I believe that we should focus completely on what is the most

Re: Options for resolving the minted + shell-escape issue

Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: > Whi, not, maybe along with the names of the converters (features) > Sweave/gnuplot/minted present in current document and accepted by the > user. I would add a verbose tooltip when hovering the icon, something like '''

Re: Options for resolving the minted + shell-escape issue

Le 18/07/2017 à 15:35, Jürgen Spitzmüller a écrit : https://commons.wikimedia.org/wiki/Tango_icons#/media/File:Emblem-impor tant-red.svg Whi, not, maybe along with the names of the converters (features) Sweave/gnuplot/minted present in current document and accepted by the user. JMarc

Re: Options for resolving the minted + shell-escape issue

On Tue, Jul 18, 2017 at 11:32:14AM +0200, Guillaume MM wrote: > Le 17/07/2017 à 16:25, Richard Heck a écrit : > > > > If I read JMarc's messages properly, then he also agrees that the > > security issues are essentially the same. That also seems right to me. > > Hi Richard, > > > I did not

Re: Options for resolving the minted + shell-escape issue

Enrico Forestieri wrote: > On Tue, Jul 18, 2017 at 12:57:24PM +0200, Kornel Benko wrote: > > you have good and valid arguments. But don't you see how insulting some of > > your mails are? > > No, I actually don't. And I apologize if it may seem so. It unfortunately seems so :( Pavel

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 09:07, Scott Kostyshak a écrit : On the contrary, if preview never uses needauth converters, is it as useful in cases like gnuplot? By "it" do you mean the external template? Yes Once it is in, then it has to be supported forever, I believe there is an agreement about this.

Re: Options for resolving the minted + shell-escape issue

Le 17/07/2017 à 16:25, Richard Heck a écrit : If I read JMarc's messages properly, then he also agrees that the security issues are essentially the same. That also seems right to me. Hi Richard, I did not reply to Jean-Marc, so I'll say here that I too agree with what he wrote at

Re: Options for resolving the minted + shell-escape issue

Am Dienstag, 18. Juli 2017 um 12:01:19, schrieb Enrico Forestieri > > (About the personal attacks: I mean to write about it at a later point > > in time. If I have not been replying to Enrico, this does not mean that > > I do not see his messages.) > > Dear Guillame, > > you

Re: Options for resolving the minted + shell-escape issue

On Tue, Jul 18, 2017 at 12:57:24PM +0200, Kornel Benko wrote: > > Dear Enrico, > you have good and valid arguments. But don't you see how insulting some of > your mails are? No, I actually don't. And I apologize if it may seem so. -- Enrico

Re: Options for resolving the minted + shell-escape issue

On Tue, Jul 18, 2017 at 01:28:38PM +0200, Pavel Sanda wrote: > Enrico Forestieri wrote: > > On Tue, Jul 18, 2017 at 12:57:24PM +0200, Kornel Benko wrote: > > > you have good and valid arguments. But don't you see how insulting some of > > > your mails are? > > > > No, I actually don't. And I

Re: Options for resolving the minted + shell-escape issue

Le 18/07/2017 à 14:26, Jürgen Spitzmüller a écrit : Am Montag, den 17.07.2017, 15:18 +0200 schrieb Enrico Forestieri: I think the most effective was the one that allowed to add -shell-escape to selected documents with the possibility of revoking this permission. There was an icon indicating

Re: Options for resolving the minted + shell-escape issue

Am Dienstag, den 18.07.2017, 14:58 +0200 schrieb Jean-Marc Lasgouttes: > As I wrote elsewhere, I am for this solution in the status bar, as > long > as it is really visible (I was about to propose a blinking red box, > but > that would be a bit too cheesy). Something such as this would do IMHO:

Re: Options for resolving the minted + shell-escape issue

Am Montag, den 17.07.2017, 15:18 +0200 schrieb Enrico Forestieri: > I think the most effective was the one that allowed to > add -shell-escape to selected documents with the possibility of > revoking > this permission. There was an icon indicating this fact and clicking > it > one could revoke

Re: Options for resolving the minted + shell-escape issue

Enrico Forestieri wrote: > On Tue, Jul 18, 2017 at 01:28:38PM +0200, Pavel Sanda wrote: > > Enrico Forestieri wrote: > > > On Tue, Jul 18, 2017 at 12:57:24PM +0200, Kornel Benko wrote: > > > > you have good and valid arguments. But don't you see how insulting some > > > > of > > > > your mails

Re: Options for resolving the minted + shell-escape issue

Pavel Sanda wrote: >b) have minted & needauth, but drop it once we can (and I would propose .. by "it" I mean needauth .. > > Pavel

Re: [LyX/master] Add some notes on forward/reverse search with evince.

Am Dienstag, den 18.07.2017, 09:31 +0200 schrieb Jürgen Spitzmüller: > No copyright issues. The scripts are GPL-licensed. And they are > > written > > in Python ;-) > > Except for one (a bash script). But it would be easy to rewrite this > one in python as well. I've done a (rough) conversion of

Living with shell-escape: Using two LyX instances - critique invited

Hi, If I had to use a converter that requires e.g. shell-escape perhaps the approach below would be useful. What problems do you see with it? 1) Use two lyx user directories, one standard and one "dangerous", with converters using shell-escape only in the dangerous lyx. 2) Create a tiny shell

Re: Can shell-escape take advantage of needauth framework?

On 18 July 2017 at 11:32, Guillaume MM wrote: > Once it is in, then it >>> has to be supported forever, I believe there is an agreement about this. >>> >> >> I wouldn't say this in absolute terms, but I would agree that there's >> lots of hesitation before removing a feature, and

Re: Can shell-escape take advantage of needauth framework?

On 18 July 2017 at 21:15, Jean-Marc Lasgouttes wrote: > Le 18/07/2017 à 19:46, Christian Ridderström a écrit : > >> I just did a test with gnuplot. In the LyX settings I had unchecked >> 'Forbid of use of needauth converters' and unchecked 'Use needauth option'. >> Then I

Re: Options for resolving the minted + shell-escape issue

On Tue, Jul 18, 2017 at 05:03:52PM +0200, Pavel Sanda wrote: > > After reading all the thread now, would you call the position below > hypocritical? > > 1. I do not like needauth mechanism much, but I don't see better way how to >allow advanced users to work with knitr/gnuplot without too

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 19:46, Christian Ridderström a écrit : I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid of use of needauth converters' and unchecked 'Use needauth option'. Then I opened a LyX doc with a gnuplot script. Result: LyX tried to run the script due to the

Errors with vref on de/Additional.lyx with lualatex

Hi, apart from the missing glyphs errors at using \textcompwordmark (which I 'solved' by using \renewcommand{\textcompwordmark}{\vphantom{}} in preamble) there is also error with the system font 'FreeSerif,FreeSans,FreeMono' when exporting to PDF(luatex) !Package varioref Error: \vref at

[macOS] Behaviour when using an absolute path when doing save as

Hi, I just noticed a minor thing, and perhaps fully due to Qt and/or macOS. Steps to reproduce: - Start new document - Place '/tmp/test.lyx' into your copy buffer - Press 'Save' (Cmd-S) - Paste filename from copy buffer, i.e. /tmp/test.lyx Expected result: I expected the file to be saved as

Re: Living with shell-escape: use a separate converter

On 2017-07-18, Christian Ridderström wrote: > If I had to use a converter that requires e.g. shell-escape perhaps the > approach below would be useful. What problems do you see with it? > 1) Use two lyx user directories, one standard and one "dangerous", with > converters using shell-escape only

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 23:24, Christian Ridderström a écrit : The threat model is one important aspect, but it's difficult for us to know who uses LyX and in which industries. Or how many users there are at all. And how many of them that use converters. If we can achieve good security we don't need

Re: Living with shell-escape: Using two LyX instances - critique invited

Le 18/07/2017 à 21:29, Christian Ridderström a écrit : Hi, If I had to use a converter that requires e.g. shell-escape perhaps the approach below would be useful. What problems do you see with it? 1) Use two lyx user directories, one standard and one "dangerous", with converters using

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 23:27, Jean-Marc Lasgouttes a écrit : Le 18/07/2017 à 23:24, Christian Ridderström a écrit : The threat model is one important aspect, but it's difficult for us to know who uses LyX and in which industries. Or how many users there are at all. And how many of them that use

Re: Can shell-escape take advantage of needauth framework?

On 18 July 2017 at 22:09, Jean-Marc Lasgouttes wrote: > Le 18/07/2017 à 21:50, Christian Ridderström a écrit : > >> That you argue this way makes me sad.. and embarrassed/ashamed on behalf >> of the project. I could counter all your points in the paragraph above, >> but I

Re: Options for resolving the minted + shell-escape issue

On 07/18/2017 09:56 AM, Jürgen Spitzmüller wrote: > Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: >> Whi, not, maybe along with the names of the converters (features) >> Sweave/gnuplot/minted present in current document and accepted by the >> user. > I would add a verbose

Re: Can shell-escape take advantage of needauth framework?

Le 18/07/2017 à 21:50, Christian Ridderström a écrit : That you argue this way makes me sad.. and embarrassed/ashamed on behalf of the project. I could counter all your points in the paragraph above, but I worry it's a waste of time and to be perfectly honest I'm a little to upset right now

Re: [LyX/master] Overtake layout translations from fi.po, ja.po, zh_CN.po

Fri, 09 Jun 2017 20:30:07 +0200 Kornel Benko wrote: > At least 'make translations1' works. No, I did not so far. The changes > are because of the fi.po.patch from Jari-Matti Mäkelä. > Again, he should be asked if the new translation are OK for pdf. > But, as I see it, I would

Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 18 July 2017 at 23:49, Jean-Marc Lasgouttes wrote: > Le 18/07/2017 à 23:42, Christian Ridderström a écrit : > >> I think the default should be secure, and that the user should have to do >> something actively to go into a dangerous mode. >> > > Well, since you consider

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 07/19/2017 01:48 AM, Christian Ridderström wrote: > > On 18 July 2017 at 23:49, Jean-Marc Lasgouttes > wrote: > > Le 18/07/2017 à 23:42, Christian Ridderström a écrit : > > I think the default should be secure, and that the user