On Wed, 2002-07-17 at 10:34, Martin Schröder wrote: > On 2002-07-17 10:23:56 -0500, Jeff Licquia wrote: > > On Wed, 2002-07-17 at 04:35, Martin Schröder wrote: > > > On 2002-07-17 00:44:21 -0400, Simon Law wrote: > > > > I can imagine latex.ltx containing a couple extra > > > > \openin15=.ssh/identity , \openin15=.gnupg/secring.gpg and > > > > \openout15=.shrc commands[2] as put there by someone who has cracked an > > > > > > This is not possible on a default TeX installation. > > > > [quotes about security protections removed] > > > > So you agree that LaTeX can be the source of a security hole. Having > > No.
Then the protections you quoted are not necessary? I'm confused. Why were they added if they weren't needed? > The default installation of teTeX makes it extremly difficult (if > not impossible) to open any security holes. If you are really > concerned about security in TeX, you could and should enhance the > web2c TeX distribution, not LaTeX. Lots of people have made claims that their software is impregnable, and cannot be exploited. Lots of people have been wrong. Several people in this thread have already quoted several possibilities where LaTeX could be the vector of a security problem. If you're going to claim impossibility, then I'm afraid I'm going to have to ask for proof. And if it's not impossible (even if it's just "extremely difficult"), then our concerns for patching any potential holes that come up are valid. > P.S.: Your fear of security holes in LaTeX borders on either > ludicrious or paranoid (seen from 25 years of TeX history); > it is at best very hypothecial. In 1995, security holes in Microsoft operating systems were also hypothetical, even after over 10 years of use. That didn't make the holes any less real when they were found. Microsoft even made some claims way back then that sound awfully similar to the claims you're making now. I feel duty-bound to point out that I don't think TeX or LaTeX are any worse than anything else in this regard; for all I know, they may be better. It's just my contention that they fall under the category of "software produced by humans", and that everything that falls into that category may potentially be a security problem. That's all. > P.P.S.: The same potential "security problems" are relevant to > plain.tex, which everyone except Donald Knuth is > forbidden to change. Are you going to stop distributing > that? That would be a problem, in my opinion. Unfortunately, I'm having trouble verifying the TeX licensing situation, so I can't comment on the status of TeX in Debian. I'll check that file out if I can find it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
