Pavel Sanda wrote:
safe', he was not able to provide any solid example that demonstrates
any potential security issue with putting filepath + filename + file
content in a .lyx file.
very easy to provide. in linux you usually have files in your home directory.
once you put your the whole filepath it contains your username. now this is 50%
of success in case you want to assault some machine via some dictionary attack,
because you already know some username which is to be attacked.
Indeed. Not to mention that knowing details about the structure of the
filesystem is in general pretty dang useful to an attacker. If it were
impossible to get what Bo wants without putting path information into a
LyX file---especially one that is designed for sharing---then that might
argue for taking the risk, though even then I'm not sure. As Jose said,
it is far and away wisest to err on the side of caution here. But it
doesn't matter, because it's clearly not impossible, in virtue of Jose's
session-based alternative.
But what's more important, to my mind, is the fact that too many of the
details of how this is implemented seem to reflect the needs of a *very*
small number of users. I have spoken now with several of the users who
posted to the list after the last embedding implementation was reverted,
asking them what their needs are, etc, and none of them suggested
anything that would require keeping this kind of information in the LyX
file. Or, for that matter, would require being able to embed files
selectively. To provide this, rather than just a "bundled" mode that
embeds everything, we have to provide an "embed file" checkbox in every
dialog where such a file might be referenced. Not only does this clutter
the UI, as Edwin mentioned, but, to my mind, it just makes the embedding
feature too "in your face". If I'm working on a shared document, then I
want to turn on "bundling". If not, then I don't want to see that stuff.
Now yes, there are use cases one can imagine where selective embedding
might be nice. But providing for such cases is what's causing the
trouble, so there'd have to be a lot of benefit to make it worth doing,
and I just don't see it.
What our users want, and what would help me, is a way to make sharing,
archiving, etc, easier, and this is precisely what the approach I
started but have had temporarily to set aside (work, you know) does. If
we're going to have a discussion about how to proceed here, then people
ought to have a look at that code, which is in my private branch. It's
not finished, but it does work, and it is very unintrusive, both in
terms of its impact on the rest of the code and in terms of its impact
on the UI (which amounts to one menu entry).
rh
