On Thu, May 8, 2008 at 3:30 PM, Pavel Sanda <[EMAIL PROTECTED]> wrote: > > safe', he was not able to provide any solid example that demonstrates > > any potential security issue with putting filepath + filename + file > > content in a .lyx file. > > very easy to provide. in linux you usually have files in your home directory. > once you put your the whole filepath it contains your username. now this is > 50% > of success in case you want to assault some machine via some dictionary > attack, > because you already know some username which is to be attacked.
The inclusion of filepath in .lyx file has always been allowed, and will continue to be allowed. In another word, this is not a problem with embedding, but a general problem with using external files. It would be nice if embedding can help address this problem, but there is nothing wrong if it cannot. > Bo, you already know there is a way to stop it ;) please don't invest too > much > time unless there is general agreement this is the way to go. As we have > particularly bad experience about this issue it may be even good to have some > general "conclusion" mail on the approach which the intersted people you > listed > agreed upon. Better to flame some more weeks than to revert some work again. I do not mind if the discussion will last a bit longer, but I would like to avoid the bad experience we had before. You know, I publicized the basic ideas of embedding at the very beginning of the 1.6.0 cycle, I asked others to join the development of this feature, I posted patches and asked for opinions. After almost a year, when the feature was implemented, people started to realized that they did not like the design and provided a bunch of alternatives. This will not happen again. That is to say, I will give you guys a limited time frame within which you can express your opinions. 1. If you disagree with basic design, you can vote against it. 2. If you dislike certain part of the design, please object with reasons and suggest alternatives within this framework. 3. If you like the idea, please vote for it. The important part is that once the basic design is accepted, it is accepted. Period. If you keep quiet, your opinion will be ignored later. Also, I will respond only to sensible criticisms and suggestions, not to personal insults. Cheers, Bo
