Re: Options for resolving the minted + shell-escape issue

On Wed, Jul 19, 2017 at 10:58:44AM -0400, Richard Heck wrote: > > Thanks for this, Enrico. Let me just ask one question about it: Is the > mechanism here per-document > or per-document and also per-converter? This only addresses particular converters, i.e., the latex backends. > That is,

Any descriptions of the security aspects (related to needauth and shell-escape)?

Hi, When having tried to contribute to the discussion on needauth and shell-escape I've felt that it's quite difficult to get a good picture of things like: - Goals of design, what are we trying to achieve - Principle of design and system - Assumed threat models, and perhaps list threat scenarios

Re: Options for resolving the minted + shell-escape issue

> > But I'd make one more suggestion: Every time a user opens a > document for which this > sort of thing will be enabled, we pop a warning before we do anything. > I.e., we do NOT just run > gnuplot in the background, but we say something like what Jürgen had > above, with buttons offering >

Re: Can shell-escape take advantage of needauth framework?

Christian Ridderström wrote: > I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid > of use of needauth converters' and unchecked 'Use needauth option'. Then I > opened a LyX doc with a gnuplot script. Result: LyX tried to run the script > due to the preview, without asking

Re: Living with shell-escape: Using two LyX instances - critique invited

On 2017-07-18, Guillaume MM wrote: > Le 18/07/2017 à 21:29, Christian Ridderström a écrit : >> If I had to use a converter that requires e.g. shell-escape perhaps the >> approach below would be useful. [...] ... > I find that it would be more cumbersome and error-prone than a good > needauth

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Christian Ridderström wrote: > - Users uncheck settings all the time, it doesn't seem very "scary" > > Why does disabling something like needauth have to be done from within LyX? ... as I read through the list I see we come to similar conclusions ... I don't have strong opinion about these.

Re: [LyX/master] We have new translation which slipped through the cracks.

Pavel Sanda wrote: > commit cd7b1dad6713e0dba2b90e7757fce5b0ca8e > Author: Pavel Sanda > Date: Wed Jul 19 13:36:06 2017 +0200 > > We have new translation which slipped through the cracks. Scott, I am sorry I did not catch that before. If/when you will be sending the

Re: [LyX/master] We have new translation which slipped through the cracks.

2017-07-19 14:17 GMT+02:00 Jürgen Spitzmüller : > > But we have the situation now that we output different strings for the > list of listings heading, depending on whether we use minted or listings > ("Listings" vs. "List of Listings"). > OTOH I see now that this is how they are

Re: [LyX/master] Overtake layout translations from fi.po, ja.po, zh_CN.po

Pavel Sanda wrote: > Kornel Benko wrote: > > Am Mittwoch, 19. Juli 2017 um 05:58:29, schrieb Jari-Matti Mäkelä > > > > > Fri, 09 Jun 2017 20:30:07 +0200 > > > Kornel Benko wrote: > > > > > > > At least 'make translations1' works. No, I did not so far. The

Re: [LyX/master] We have new translation which slipped through the cracks.

2017-07-19 13:51 GMT+02:00 Pavel Sanda : > Pavel Sanda wrote: > > commit cd7b1dad6713e0dba2b90e7757fce5b0ca8e > > Author: Pavel Sanda > > Date: Wed Jul 19 13:36:06 2017 +0200 > > > > We have new translation which slipped through the cracks. > > Scott, I am

Re: Errors with vref on de/Additional.lyx with lualatex

Am Mittwoch, 19. Juli 2017 um 19:48:49, schrieb Guenter Milde > On 2017-07-19, Kornel Benko wrote: > > > [-- Type: text/plain, Encoding: 7bit --] > > > Am Mittwoch, 19. Juli 2017 um 15:00:16, schrieb Kornel Benko > > > >> So, maybe better we could omit

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 2017-07-19, Christian Ridderström wrote: ... > ... I would like to ask (not being > optimistic), if there's some design description anywhere? > I wonder because IMHO security requires a system wide approach and that > it's very easy to screw up if only looking at isolated pieces. Further, it

Re: Errors with vref on de/Additional.lyx with lualatex

On 2017-07-19, Kornel Benko wrote: > [-- Type: text/plain, Encoding: 7bit --] > Am Mittwoch, 19. Juli 2017 um 15:00:16, schrieb Kornel Benko >> So, maybe better we could omit \textcompwordmark in mono fonts. > This patch works for me. It uses vphantom{}, but only between '<<'

Jenkins build is back to normal : Build branch "master" » ubuntu-xenial-qt4-autotools-extended #317

https://ci.inria.fr/lyx/job/build-master-head/job/ubuntu-xenial-qt4-autotools-extended/317/

Re: [LyX/master] Fixup the fixup d0acc3e57044: use editable()/isActive()

On Tue, Jun 27, 2017 at 04:47:10PM +0200, Jean-Marc Lasgouttes wrote: > commit 13c3c1485b68980c51658cef8fadf804982d75ee > Author: Jean-Marc Lasgouttes > Date: Fri Jun 23 20:32:32 2017 +0200 > > Fixup the fixup d0acc3e57044: use editable()/isActive() > > While

citeengines/ break make layouttranslation

Hi Juergen, make ../lib/layouttranslations from within po/ dir used to update layout translations, but it breaks now on make: *** No rule to make target '../lib/citeengines/*.citeengines', needed by '../lib/layouttranslations'. Stop. Not sure what's going on. Pavel

Re: citeengines/ break make layouttranslation

2017-07-19 12:38 GMT+02:00 Pavel Sanda : > Fixed it. P > Thanks! Jürgen

Re: [LyX/master] Overtake layout translations from fi.po, ja.po, zh_CN.po

Am Mittwoch, 19. Juli 2017 um 05:58:29, schrieb Jari-Matti Mäkelä > Fri, 09 Jun 2017 20:30:07 +0200 > Kornel Benko wrote: > > > At least 'make translations1' works. No, I did not so far. The changes > > are because of the fi.po.patch from Jari-Matti Mäkelä. > >

Re: Errors with vref on de/Additional.lyx with lualatex

On 2017-07-18, Kornel Benko wrote: ... > 2.) Can we replace outputting \textcompwordmark with \vphantom{} in > exported tex file? > I could not see any difference in the pdflatex output. Also > lualatex and xelatex displayed correctly. However, lib/unicodesymbols says: Do only

Re: Errors with vref on de/Additional.lyx with lualatex

On 2017-07-18, Kornel Benko wrote: ... > there is also error with the system font 'FreeSerif,FreeSans,FreeMono' > when exporting to PDF(luatex) > !Package varioref Error: \vref at page boundary 14-15 (may loop). > See the varioref package documentation for explanation. > Type H

Re: Can shell-escape take advantage of needauth framework?

Guillaume MM wrote: > Le 18/07/2017 ?? 23:27, Jean-Marc Lasgouttes a écrit : >> Le 18/07/2017 ?? 23:24, Christian Ridderström a écrit : >>> The threat model is one important aspect, but it's difficult for us to >>> know who uses LyX and in which industries. Or how many users there are at >>>

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 19/07/2017 à 07:48, Christian Ridderström a écrit : If user does not want all these warnings, he could disable them by launching LyX with some option like "--do-not-warn-me-about-unsafe-setting". Instead of having a checkbox for "don't tell me these things again". It has the same issues as

Re: citeengines/ break make layouttranslation

Pavel Sanda wrote: > Hi Juergen, > > make ../lib/layouttranslations from within po/ dir > used to update layout translations, but it breaks now on > make: *** No rule to make target '../lib/citeengines/*.citeengines', needed > by '../lib/layouttranslations'. Stop. > Not sure what's going on.

Re: [LyX/master] Overtake layout translations from fi.po, ja.po, zh_CN.po

Kornel Benko wrote: > Am Mittwoch, 19. Juli 2017 um 05:58:29, schrieb Jari-Matti Mäkelä > > > Fri, 09 Jun 2017 20:30:07 +0200 > > Kornel Benko wrote: > > > > > At least 'make translations1' works. No, I did not so far. The changes > > > are because of the

Re: Errors with vref on de/Additional.lyx with lualatex

Am Mittwoch, 19. Juli 2017 um 10:56:21, schrieb Guenter Milde > On 2017-07-18, Kornel Benko wrote: > > ... > > > there is also error with the system font 'FreeSerif,FreeSans,FreeMono' > > when exporting to PDF(luatex) > > > !Package varioref Error: \vref at page boundary

Re: [LyX/master] We have new translation which slipped through the cracks.

Jürgen Spitzmüller wrote: > OTOH I see now that this is how they are defined in listings and minted, > respectively. So the (differing) strings are OK. Yes, when I looked through the logs it seems Enrico was well aware of the issue. > For de, I've just committed a small correction. Shall I

Re: Errors with vref on de/Additional.lyx with lualatex

Am Mittwoch, 19. Juli 2017 um 15:00:16, schrieb Kornel Benko > So, maybe better we could omit \textcompwordmark in mono fonts. This patch works for me. It uses vphantom{}, but only between '<<' and '>>'. Korneldiff --git a/src/Paragraph.cpp b/src/Paragraph.cpp index

Re: Options for resolving the minted + shell-escape issue

On Tue, Jul 18, 2017 at 07:26:23PM -0400, Richard Heck wrote: > On 07/18/2017 09:56 AM, Jürgen Spitzmüller wrote: > > Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: > >> Whi, not, maybe along with the names of the converters (features) > >> Sweave/gnuplot/minted present in

Re: Can shell-escape take advantage of needauth framework?

On 07/19/2017 05:06 AM, Pavel Sanda wrote: > Christian Ridderström wrote: >> I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid >> of use of needauth converters' and unchecked 'Use needauth option'. Then I >> opened a LyX doc with a gnuplot script. Result: LyX tried to run

Re: Options for resolving the minted + shell-escape issue

On 07/19/2017 10:37 AM, Enrico Forestieri wrote: > On Tue, Jul 18, 2017 at 07:26:23PM -0400, Richard Heck wrote: >> On 07/18/2017 09:56 AM, Jürgen Spitzmüller wrote: >>> Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: Whi, not, maybe along with the names of the

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 07/19/2017 02:22 AM, Christian Ridderström wrote: > Hi, > > When having tried to contribute to the discussion on needauth and > shell-escape I've felt that it's quite difficult to get a good picture > of things like: > - Goals of design, what are we trying to achieve > - Principle of design and

Re: Options for resolving the minted + shell-escape issue

On 07/19/2017 02:04 PM, Enrico Forestieri wrote: > On Wed, Jul 19, 2017 at 10:58:44AM -0400, Richard Heck wrote: >> Thanks for this, Enrico. Let me just ask one question about it: Is the >> mechanism here per-document >> or per-document and also per-converter? > This only addresses particular

Re: Options for resolving the minted + shell-escape issue

Am Mittwoch, den 19.07.2017, 16:37 +0200 schrieb Enrico Forestieri: > The attached patch takes into account all of these ideas. As a > disclaimer, > note that I am providing it only because I am now familiar with this > part > of the code and can quickly come up with a patch. But I am not >