On Thursday 08 May 2008 21:30:06 Pavel Sanda wrote: > very easy to provide. in linux you usually have files in your home > directory. once you put your the whole filepath it contains your username. > now this is 50% of success in case you want to assault some machine via > some dictionary attack, because you already know some username which is to > be attacked.
I have explained before that this was the reason we have stopped the inclusion of the user name in the lyx file. This is the first line of lyx-0.10.7/doc/UserGuide.lyx #This file was created by <candide> Sun Aug 25 00:15:38 1996 We have removed it in later versions (1.0.x IIRC). Now with the full path we are placing even more information in the lyx file than before. Security is not a simple thing and so we should be conservative about it as well as with privacy concerns. From the beginning I have proposed an alternative using session files, codewise it is simple and answers my objections above. I have proposed an alternative. One argument refers to the reversibility when using lyx2lyx. If we agree that lyx should not write outside of its directory, for security concerns, the same should apply to lyx2lyx. Regarding the lyx file carrying the original path origin of the embedded files I gave this issue lots of thought, it is not a whim but a genuine care for security and privacy reasons, and the more I think about it the less I like it. -- José Abílio
