Tommaso Cucinotta wrote: > it says "Permission denied" :-)! > So, the idea is to wrap execution of any external converter/plotter/etc., > so that they can only write into the /tmp/ folder, except for the case of > exporting to .pdf, .tex, etc. > > Any distro packager on the list with comments?
Apparmor is considered experimental and userspace utils are hardmasked under gentoo (aka ultraexperimental stuff which might break). Reading through the threads about hardening lyx my thoughts are: - apparmor will likely be pita for proper lyx installing and causing maintenance burden not worth of the feature-added value. We could bundle it but better not to ask as requirement. - confirmation dialogs tend to be overlooked by users so while I am not against having it, one click away from potential disaster does not seem to be enough. - we could add pref setting combo like "never run/run after confirmation/never ask" and 2nd option could be your dialog which allows switching to "never ask" for a given document(or global?). Any install will have default "never run" and require that user goes to prefs and consciously do something about unhardening lyx. My 2 cents, Pavel
