On Thu, Jul 06, 2017 at 04:20:43PM -0400, Scott Kostyshak wrote: > On Thu, Jul 06, 2017 at 04:03:11PM +0200, Enrico Forestieri wrote: > > > Trying to separate these issues is hypocritical and discriminatory. > > I do not think it necessarily has to be hypocritical or discriminatory. > Hypocritical to me would mean that there's no reasonable argument why > one would be allowed and the other would not. Consider the following > potential rule: > > We should not introduce code that makes the next LyX version less > secure than the previous version. > > To me this is a reasonable criterion. I'm not saying it's the only one > and I'm not saying it's better than other criteria we could use instead, > but I believe it is *reasonable*. And because knitr and Sweave were in > previous releases, unless we believe that needauth decreases the > security of them then it passes this criterion. If it is determined that > the work regarding shell-escape makes LyX less secure, then that work > would not pass the above criteria. > > Consider the following philosophy instead: > > If we reject a patch that decreases security, we should remove all > related functionality from LyX that suffers from that same security > threat. > > This also seems reasonable. I'm not going to make an argument about > which one is more reasonable. I'm just saying that both are reasonable > to me.
Well, all of this smells of sophism to me. In this way everything and its opposite can be justified by rethorical arguments. > It is still not clear whether the majority of LyX developers think that > the shell-escape work decreases or increases security. I would prefer to > wait and see what the majority believe. If they believe that it would > decrease security, then I think that we should do as you suggest and > re-evaluate needauth and our decision to ship support for knitr and > Sweave. Oh, the tiranny of the majority. Then, I fear that whatever I say is ineffective. http://fablesofaesop.com/the-wolf-and-the-lamb.html -- Enrico
