> The problem is that I do not believe that the security model of TeX and > the security model of LaTeX are absolutely equivalent. They may be > close, but "close" doesn't cut it in the security world.
I don't think they are close. I assert they are the same as latex is just part of the input to TeX. It is to TeX just the first part of the document. Any code in latex could be in a document. If you distributed a security-fixed latex, I could send the old latex.ltx as a document and tell you it's a document to give to "initex" (rather than latex) and it would do whatever the old latex did. If you find a security problem then unless you change the tex executable the security problem will not go away. If you do change the tex executable then you are not changing LPPL'ed code (it's most likely GPL). > Not all Java problems are problems with Java. In some places, Java > programs enable se > However sadly I suppose I will have to agree with tex has more similarity to "cp" than to java. It doesn't (by default) do system calls, only has highly restricted file access and just takes a file in one place and outputs a related file elsewhere. If you find that applying cp to some document causes a security problem then that is a problem with cp (or your system file permissions) it isn't a problem with the document itself. The same is true of a set of tex macros, whether they are in a document or in the latex format. However sadly I suppose I'll have to agree with this: > But I doubt we're going to convince each other. It is also irrelevant to a general discussion of LPPL, as I commented before. LPPL is drafted so that it can be applied to any program. If Debian are going to accept that (some version of) LPPL is acceptable for their free tree then it is reasonable for you to ask what you could do if you found yourself distributing some insecure program that was LPPL licenced (and was not latex). The easy answer is that as it was LPPL'ed you would have access to the source, you could fix the program and distribute it under a new name. It would seem that in the vast majority of cases this should be quite sufficent. If there are cases where that is not sufficient it comes down to looking at the edge cases of any particular wording in an LPPL draft where the "rename" rule is relaxed. If we could articulate exactly when it is reasonable to redistribute without renaming it may be possible to redraft parts of LPPL to allow that in more cases. David _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Scanning Service. For further information visit http://www.star.net.uk/stats.asp or alternatively call Star Internet for details on the Virus Scanning Service. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
