Re: Types of LyX users (Was: Can shell-escape take advantage of needauth framework?)

[Scott Kostyshak]

On Tue, Jul 25, 2017 at 01:03:00AM +0200, Tommaso Cucinotta wrote:
> 
> ... hope you like it as a start ;-P ...

I like it. We need some illustrations.

Scott


signature.asc
Description: PGP signature

Re: Types of LyX users (Was: Can shell-escape take advantage of needauth framework?)

[Tommaso Cucinotta]

On 25/07/2017 00:15, Scott Kostyshak wrote:

Then we could easily say "I think this feature
would benefit Lucie, would hurt Raimundo, and would not affect Sara at


Alice was beginning to get very tired of sitting by her sister on the bank, and of having 
nothing to do: once or twice she had peeped into the book her sister was reading, but it had 
no pictures or conversations in it, "and what is the use of a book," thought Alice 
"without pictures or or conversations, or R scripts or automatically generated Gnuplot or 
Python plots?
So, Alice started to write a book using the wildly popular & largely known LyX text editor, allowing her to embed 
Animated contents and even interactive chats within chapters of her new book, which she loves to exchange with Bob the 
Lizzard. Although, Bob is used to write so fast, to get to annoy every one with its resounding theme sounds for each and 
every key press, to the point that Alice likes to send him chapters incorporating little jokingly hazardous scripts that, 
when previewed on the screen, cause Bob's sound volume to definitely shutdown (via removal of the snd-* ALSA drivers from 
the kernel through a root escalation exploit, but that's an unimportant technical detail). Bob would never try to preview 
nor compile those chapters, if it were not for the carefully placed and beautifully decorated "PUSH ME" labels 
that Alice placed on Bob's "View" button in the application Toolbar (if you're curious, other carefully crafted 
icons included "DRINK ME" and "ORANGE MARMELADE" in the same toolbar, all of them calling external 
'needauth' converters), when she helped out with LyX installation on his Linux box, quite a though task for a Lizard. So, 
there he goes, pressing that button over and over again through the day.
However, despite the apparent risks coming from the encrypted arguments of the Caterpillar, Alice 
and Bob didn't realize how much should they have been suspicious about the seemingly harmless and 
well-educated tea sessions they regularly had with Mallory the Mad Hatter, who used to like to 
confuse their little unaware friends with innocent paragraphs like: You might just as well say that 
"I see what I eat" is the same thing as "I eat what I see." Albeit literally 
interesting, Alice would fail to realize the full extent of the so big and remarkable differences 
in the font size between the two seemingly and confusingly self-resembling paragraphs, which, at a 
closer look (i.e., zoom at least 15000x in the preferences/settings pane), would indeed be 
recognized in their very nature of peculiar R and Gnuplot insets embedding scripts able to produce 
original hand-crafted output images with the contents just mentioned before, in addition to little, 
unforgettable changes to Alice and Bob home directories...

... hope you like it as a start ;-P ...

T.

Re: Types of LyX users (Was: Can shell-escape take advantage of needauth framework?)

[Scott Kostyshak]

On Sun, Jul 23, 2017 at 09:52:37PM +0200, Christian Ridderström wrote:

> I think Scott is partly verging towards the topic of types of users
> and user scenarios.

Yes I think so. The problem (as you mentioned) is that we really don't
know what the distribution of our users looks like.

> Perhaps there's more kinds of users?

I think your descriptions of users is very helpful, even more generally.
In fact, some companies assign a name to each type of users to make them
easy to reference. That might be useful for us to put in the
Development.lyx manual. Then we could easily say "I think this feature
would benefit Lucie, would hurt Raimundo, and would not affect Sara at
all," where Lucie, Raimundo, and Sara would be defined in the
development.lyx manual.

Scott


signature.asc
Description: PGP signature

Types of LyX users (Was: Can shell-escape take advantage of needauth framework?)

[Christian Ridderström]

On 21 July 2017 at 22:12, Scott Kostyshak  wrote:
> On Tue, Jul 18, 2017 at 11:21:38AM +0200, Jean-Marc Lasgouttes wrote:
>> Le 18/07/2017 à 09:07, Scott Kostyshak a écrit :
>> > I was thinking about it from a different angle. I was only focused on
>> > what I thought was most secure, without even considering usability. As I
>> > mentioned in the thread asking for votes, I believe that we should focus
>> > completely on what is the most secure.
>>
>> Well, what is the most secure is to remove all sweave/gnuplot/minted code.
>> There is no point in looking at security without usability IMO.
>
> I see what you mean and I think most people would agree with your
> interpretation. I was taking the approach more of "under which proposal
> is the user least likely to run malicious code". In your scenario (let's
> remove all sweave/gnuplot/minted code), well sweave users would just
> never upgrade LyX and would lose any security-related improvements and
> would not have any of the protection that needauth provides. For minted
> users, they would have to do the '-shell-escape' dance and would have
> the risk of forgetting that they left a converter permanently changed.
> This is what I mean by "less secure". But I know that I'm thinking about
> things differently from others. I can understand the other perspective
> of security of "if a user uses only built-in LyX with no customizations,
> then they would be less likely to run malicious code". I just think the
> "if" in that statement is concerning.

I think Scott is partly verging towards the topic of types of users
and user scenarios.
IMHO these aspects are quite important factors when discussing
features, security, UI and what to include in a software.

What kind of user was I, perhaps the archetypical LyX user:
- Started using LyX while working on my PhD (back in 1997 or so, in
case it matters)
- Did not know LaTeX in advance, thought it might make sense with a
graphical frontend.
- Wrote articles etc in LyX, learned some LaTeX on the way, put stuff
in preamble and some ERT.
- Only added some converters to include TGIF images or something like that.
- Besides LaTeX, I never embedded code in the LyX document
- This user googles to find solutions.
- A more advanced version of this user might start asking question on
the users' list.
- LyX worked really well for what I was doing.


Another kind of user could be the "the supervisor/reviewer".
- The student has a supervisor or colleague that he'd like to review his work
- Only minor editing is expected of the reviewer, perhaps adding comments,
  perhaps fixing an error.
Note: My supervisor got printouts back then IIRC.

Related is the use case is when two or more people closely collaborate
on a document.
Perhaps they use version control to work on the same LyX document.
Or keep it on a network drive. Or on e.g. Dropbox. Doing this adds
requirements on LyX.


More advanced user:
- LyX is used to build the main document, perhaps there are child documents.
- Perhaps exporting/publishing to multiple different formats.
- The document pulls in information from external files, e.g.
.tex-files with data.
- However, .tex-files are updated externally to the use of LyX,
  so the user has to manage dependencies etc.

Then we have the kind of user for whom I don't have a name, nor know well:
- Includes LyX deeply in his work flow
- Embeds code to be executed, perhaps repeatedly, in his document
- Using LyX as an IDE to develop his "program"
- ?

Non-user:
- Like my girlfriend, who likes writing in LaTeX
- I tried to get her to use LyX but it didn't take
   - she e.g. didn't like having to go through the menus all the time
 she would've preferred being able to use the keyboard all the time.
 So using plain LaTeX was "easier".
- At some point I should get more details on this.

Perhaps there's more kinds of users?

Anyway, the connection with security and shell-escape etc is that only
one of these kinds of users would likely actually need to use
shell-escape, and that user is probably more capable. OTOH, maybe we
_want_ to make LyX a tool where using e.g. R from within LyX is a
really good experience.

If these categories are reasonable, it'd be interesting to know the
distribution of users.
/Christian

PS. These days I find myself writing work notes in Emacs' org-mode a
lot of the time, why?
- Speed. It's quicker to type/edit in LaTeX.
  Perhaps because LyX's keyboard isn't working so well for me on my
mac with a Swedish keyboard.
- I typically don't need so many formulas. Org-mode is fine for a few
formulas, including images.
- Sometimes I even embed executable code (MATLAB) in my org-mode file.
- Often I don't need pretty output.
- Very convenient with text-based files that work well with version control.
- Perhaps also related that I had to go through five years or so where
I was forced
  to write in Word, and it left me damaged.