Hi,
On Mon, 2 Feb 2009, Graham Percival wrote:
> On Mon, Feb 02, 2009 at 12:26:02AM +0100, Werner LEMBERG wrote:
> >
> > Tim Starling, one of the main wikipeda software developers, says:
> >
> > My understanding is that
> >
> > a) safe mode is not secure, being trivially DoS-able by short
> > infinite loop scripts
>
> As it currently stands, yes.
>
> > b) safe mode will not work for many of the free scores available on
> > the web
>
> Depends what you mean by "will not work". Almost every score (or
> perhaps even *every* score) can be produced without any scheme.
> Whether or not most current free .ly files use (or do not use) any
> scheme is a separate question.
I think that was part of the bad research Tim did that really upset me.
> > The problems with LilyPond are sufficiently severe that I have, from
> > time to time, researched alternative music renderers such as
> > Philip's Music Writer that don't have an embedded scripting
> > language.
> >
> > Anyone who can shed more light on the raised issues?
>
> I doubt I can explain anything technical about lilypond that you
> don't already know, but from an organizational standpoint I can
> say this: if there's sufficient interest, it could be done.
>
> Assign two Frogs to the task:
> - one person ensures that lilypond input without **any** scheme
> will always end in a reasonable amount of time.
> - one person modifies --safe. I'm sure that we can whitelist a
> few more commands (IIRC changing the paper size is not "safe").
> But we'll certainly need to remove much of the more basic stuff.
>
> Part of the --safe job might be to add more predefined scheme to
> our predefined tweaks (similar to the "lilypond elegance" stuff).
> For example, generic loops would need to go from --safe, so this
> would eliminate many tweaks. But if we added a
> #(for-all-notes-in-expression ...) function, *and* ensured that
> this function couldn't call itself, we might be able to keep some
> chunk of functionality while being more secure.
>
>
>
> Then again, we can use a lot of resources just by doing:
> \repeat 1234567789 { c''''8. c,,,,,16 \times 2/3{ c cis cisis } c2 }
>
> Maybe we could insist that --safe only produces 1 page of score?
> ... trying to keep lilypond within certain CPU-time limits is
> going to be hard. :(
Right. But we could add a simple timeout that says "if this fails to
terminate in 20 seconds, it errors _out_". Likewise, we could have a
user-assignable (where the user would be LilyPond in this context) "nice"
value.
Ciao,
Dscho
_______________________________________________
lilypond-devel mailing list
lilypond-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/lilypond-devel
