Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Mon, Jul 31, 2017 at 11:57:55PM +0200, Christian Ridderström wrote: > Do we have an overview somewhere (with patch reference) for the > alternatives proposed for beta1, which is then what's likely to end up in > 2.3? > Note: I did just look at the wiki page but didn't see it there clearly. No

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 31 July 2017 at 20:44, Guillaume MM wrote: > Le 31/07/2017 à 13:31, Jürgen Spitzmüller a écrit : > >> I meant it in this sense. If a vote only means "I did not have a >> look at >> >> the patch but I am fed-up so let us go ahead" then it is not taking >>

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 31/07/2017 à 13:31, Jürgen Spitzmüller a écrit : I meant it in this sense. If a vote only means "I did not have a look at the patch but I am fed-up so let us go ahead" then it is not taking responsibilities. A vote is a vote. If the given voting will be Rates

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

I meant it in this sense. If a vote only means "I did not have a look at > the patch but I am fed-up so let us go ahead" then it is not taking responsibilities. A vote is a vote. If the given voting will be Rates differently, this will be have been the last voting I have participated on this

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 29/07/2017 à 23:54, Scott Kostyshak a écrit : On Thu, Jul 27, 2017 at 04:09:56PM +0200, Guillaume MM wrote: * Having to use -shell-escape for running Pygments. Yes, and if we go the way of the patch, I don't think any other improvements (e.g. post-beta1) will be made to address this,

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Sun, Jul 30, 2017 at 12:12:08AM +0200, Enrico Forestieri wrote: > On Sat, Jul 29, 2017 at 05:54:33PM -0400, Scott Kostyshak wrote: > > > > More important to me is that we interpret "take responsibility" in a > > different way. Enrico, if we decide to go forward with something like > > the

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Sat, Jul 29, 2017 at 05:54:33PM -0400, Scott Kostyshak wrote: > > More important to me is that we interpret "take responsibility" in a > different way. Enrico, if we decide to go forward with something like > the latest patch, will you be around in the next couple of months and > willing to

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Thu, Jul 27, 2017 at 04:09:56PM +0200, Guillaume MM wrote: > * One has to decide which suggestions are needed for 2.3 and which ones > can be implemented later. Agreed. And the more immediate issue is which suggestions are needed before beta1. Conditional on LyX devs supporting something like

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 22/07/2017 à 00:47, Guenter Milde a écrit : On 2017-07-19, Richard Heck wrote: On 07/19/2017 01:48 AM, Christian Ridderström wrote: On 18 July 2017 at 23:49, Jean-Marc Lasgouttes > wrote: Le 18/07/2017 à 23:42, Christian Ridderström a

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 24 July 2017 at 23:20, Tommaso Cucinotta wrote: > On 23/07/2017 20:55, Christian Ridderström wrote: > >> Regarding setting something in the preference file manually: The only >> thing I mind is that it adds a global state to LyX, as opposed to >> starting LyX with some

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Sat, Jul 22, 2017 at 01:09:09AM +0200, Jean-Marc Lasgouttes wrote: > Le 21/07/2017 à 21:02, Scott Kostyshak a écrit : > > > except if I disable needauth globally :( > > > > What about editing the session file to add the paths of the .lyx files > > that you want? If you're interested, I could

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 23/07/2017 20:55, Christian Ridderström wrote: Regarding setting something in the preference file manually: The only thing I mind is that it adds a global state to LyX, as opposed to starting LyX with some parameters. The global state would likely affect e.g. testing. the good thing is that

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 22/07/2017 00:47, Guenter Milde wrote: Enrico's patch did not touch "needauth" but has some nice features for "shell-escape": it addressed the "set and forget" issue by a) adding a red icon to the status bar if a document has the "allow shell-escape" flag. b) revoking the permission,

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 19 July 2017 at 12:00, Jean-Marc Lasgouttes wrote: > Le 19/07/2017 à 07:48, Christian Ridderström a écrit : >> >> If user does not want all these warnings, he could disable them by >> launching LyX with some option like "--do-not-warn-me-about-unsafe-setting". >> Instead of

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 21/07/2017 à 21:02, Scott Kostyshak a écrit : except if I disable needauth globally :( What about editing the session file to add the paths of the .lyx files that you want? If you're interested, I could write a Python/Bash script that does it for you. I might end up using it also. Well, I

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 2017-07-19, Richard Heck wrote: > On 07/19/2017 01:48 AM, Christian Ridderström wrote: >> On 18 July 2017 at 23:49, Jean-Marc Lasgouttes > > wrote: >> Le 18/07/2017 à 23:42, Christian Ridderström a écrit : >> I think the default

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On Wed, Jul 19, 2017 at 12:00:52PM +0200, Jean-Marc Lasgouttes wrote: > Which make me think that I did not try to check whether my nice scripts to > process Sweave lyx file still have a chance to work. Oops! they won't This is good. It shows the needauth implementation works. > except if I

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Le 19/07/2017 à 07:48, Christian Ridderström a écrit : If user does not want all these warnings, he could disable them by launching LyX with some option like "--do-not-warn-me-about-unsafe-setting". Instead of having a checkbox for "don't tell me these things again". It has the same issues as

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

Christian Ridderström wrote: > - Users uncheck settings all the time, it doesn't seem very "scary" > > Why does disabling something like needauth have to be done from within LyX? ... as I read through the list I see we come to similar conclusions ... I don't have strong opinion about these.

Re: Going into dangerous mode (Was: Can shell-escape take advantage of needauth framework?)

On 07/19/2017 01:48 AM, Christian Ridderström wrote: > > On 18 July 2017 at 23:49, Jean-Marc Lasgouttes > wrote: > > Le 18/07/2017 à 23:42, Christian Ridderström a écrit : > > I think the default should be secure, and that the user