Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 24 July 2017 at 23:27, Tommaso Cucinotta wrote: > > > I support the idea as well, and I'm interested in contributing to it. > I could help as well, at least with the outside view. > As a starting point for the needauth stuff, I had put a recap of the > problem and

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 23/07/2017 16:56, Christian Ridderström wrote: Does anyone feel we should _not_ keep such a security document in the general LyX repository? Note: Generally speaking I'm all for being open and transparent, but such a document might end up containing descriptions of ways in which LyX could

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 21/07/2017 22:28, Scott Kostyshak wrote: I support the suggestion to create such a document and suppose to make it a section in "Development.lyx": + bundled with other project policies and developer documentation + write access for all developers + we can use LyX's version control for

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 21 July 2017 at 22:28, Scott Kostyshak wrote: > On Wed, Jul 19, 2017 at 07:34:59PM +, Guenter Milde wrote: > > On 2017-07-19, Christian Ridderström wrote: > > > > ... > > > ... I would like to ask (not being optimistic), if there's some design > description anywhere? > >

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On Sat, Jul 22, 2017 at 12:22:21AM +0200, Enrico Forestieri wrote: > > I think the above summaries by Richard and Guillaume are accurate. > > Please, note that I did not even think about adding support for shell > escape for the sake of minted. In my view, the minted support was ready > as it is

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On Fri, Jul 21, 2017 at 04:29:04PM -0400, Scott Kostyshak wrote: > On Thu, Jul 20, 2017 at 07:04:56PM +0200, Guillaume MM wrote: > > Le 19/07/2017 à 16:59, Richard Heck a écrit : > > > On 07/19/2017 02:22 AM, Christian Ridderström wrote: > > > > Hi, > > > > > > > > When having tried to

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On Thu, Jul 20, 2017 at 07:04:56PM +0200, Guillaume MM wrote: > Le 19/07/2017 à 16:59, Richard Heck a écrit : > > On 07/19/2017 02:22 AM, Christian Ridderström wrote: > > > Hi, > > > > > > When having tried to contribute to the discussion on needauth and > > > shell-escape I've felt that it's

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On Wed, Jul 19, 2017 at 07:34:59PM +, Guenter Milde wrote: > On 2017-07-19, Christian Ridderström wrote: > > ... > > ... I would like to ask (not being > > optimistic), if there's some design description anywhere? > > > I wonder because IMHO security requires a system wide approach and that

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

Le 19/07/2017 à 16:59, Richard Heck a écrit : On 07/19/2017 02:22 AM, Christian Ridderström wrote: Hi, When having tried to contribute to the discussion on needauth and shell-escape I've felt that it's quite difficult to get a good picture of things like: - Goals of design, what are we trying

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 2017-07-19, Christian Ridderström wrote: ... > ... I would like to ask (not being > optimistic), if there's some design description anywhere? > I wonder because IMHO security requires a system wide approach and that > it's very easy to screw up if only looking at isolated pieces. Further, it

Re: Any descriptions of the security aspects (related to needauth and shell-escape)?

On 07/19/2017 02:22 AM, Christian Ridderström wrote: > Hi, > > When having tried to contribute to the discussion on needauth and > shell-escape I've felt that it's quite difficult to get a good picture > of things like: > - Goals of design, what are we trying to achieve > - Principle of design and

Any descriptions of the security aspects (related to needauth and shell-escape)?

Hi, When having tried to contribute to the discussion on needauth and shell-escape I've felt that it's quite difficult to get a good picture of things like: - Goals of design, what are we trying to achieve - Principle of design and system - Assumed threat models, and perhaps list threat scenarios