On Tue, Jun 13, 2017 at 01:46:45AM -0400, Richard Heck wrote: > On 06/12/2017 08:08 PM, Enrico Forestieri wrote: > > On Mon, Jun 12, 2017 at 05:49:50PM -0400, Scott Kostyshak wrote: > >> On Mon, Jun 12, 2017 at 07:37:53PM +0200, Enrico Forestieri wrote: > >> > >>> However, I think I have to wait for a nod before applying this patch. > >> Thanks for waiting. I think there is indeed a chance Guillaume would be > >> against it, and if even one person is against it since it is related to > >> security I think we should have a discussion. I base that guess on [1], > >> but perhaps I'm wrong. Guillaume? > > Note that I was convinced by the following observations by Jürgen: > > > >> I find it much more dangerous to encourage the user to set the flag > >> generally, since this might bite him with other documents quite > >> horribly. > >> The note in the minted example file advises users > >> to set the flag. And they would explicitly have to reset it every time. > >> Chance is high that they just keep it eventually. That's my point. > > After thinking about it, I agree completely. > > I have not been able to follow all the details of this conversation. > Since it seems to > raise VERY important security issues, I wonder if someone could start a > new thread > and there summarize the pros and cons of whatever courses of action are > open to us. > We are all responsible together for LyX's security, so I'd prefer myself > if we had a > wider-ranging discussion of this. > > Generally speaking, we have always been very cautious around these sorts > of issues. > See, e.g., the removal of the ability to launch URLs from within LyX.
Richard, this is a different issue. The user can always set -shell-escape and we can't prevent him from doing that. If the user is bothered from having to set the option and then delete it again, it may happen that he leaves it in place, giving rise to all security risks this entails. We cannot bury our head in the sand and blame the user for that. Rather, we should try to protect him by setting the option only when it is really needed, in an ephemeral way. This does not happen behind the user's back and he is warned of that, hence he can properly act. -- Enrico
