Hi Scott,
Sorry for the delay. I was very busy over the past
two weeks.
Le 05/07/2017 à 06:54, Scott Kostyshak a écrit :
On Wed, Jun 28, 2017 at 02:36:49PM +0200, Guillaume MM wrote:
Le 27/06/2017 à 23:45, Tommaso Cucinotta a écrit :
needauth was a urgently needed mitigation of the security issues behind
running
arbitrary external tools when compiling LyX documents; a more engineered
remedy
AFAICR was actually the use of sandboxing machineries, which was
prototyped on
Ubuntu/Linux using AppArmor.
This is also what I remember. The now secured converters were sweave and
knitr, introduced in 2011 and 2012.
+1
I see that you have also introduced a gnuplot converter with an example.
+ Proportionality: unsafety is actually a main feature of gnuplot from
what I understand from http://www.yqcomputer.com/320_2475_1.htm
+ Specificity: only gnuplot is given elevated privileges, which is what
the user wants.
- UI problem 1: When I open the example, I immediately get the needauth
dialog for showing the preview. I thought we only wanted unsafe
execution when compiling the document.
I forget what we decided on this. If we don't give the dialog, then we
should just disable the preview?
But then if I enable gnuplot for compilation, does it mean that preview
becomes enabled? Then will this be remembered on next opening without
asking? What if I change my mind later on / do not remember? etc.
On the contrary, if preview never uses needauth converters, is it as
useful in cases like gnuplot?
etc.
It seems to me that needauth, as it is, is not ready for the addition of
gnuplot. What do you think?
I'm not sure. Is it less secure than Sweave/knitr?
At the moment I believe it is less secure, because UI issues discussed
above are more acute currently, but mainly:
Or is your argument
that those were already there so needauth makes them safer, but we
should not add any other converter that needs needauth?
Yes, this is what I believe is the safest route (see answers to your
more specific points in the other message). I did not dare suggesting
to remove features that were there since 2011. Once it is in, then it
has to be supported forever, I believe there is an agreement about this.
This is also why I have been suggesting that the most careful choices
are made from the start.
Guillaume
