On Mon, Jul 17, 2017 at 06:55:14AM +0200, Guillaume MM wrote: > Hi Scott, > > Sorry for the delay. I was very busy over the past > two weeks.
No problem. > Le 05/07/2017 à 06:54, Scott Kostyshak a écrit : > > On Wed, Jun 28, 2017 at 02:36:49PM +0200, Guillaume MM wrote: > > > Le 27/06/2017 à 23:45, Tommaso Cucinotta a écrit : > > > > > > > > needauth was a urgently needed mitigation of the security issues behind > > > > running > > > > arbitrary external tools when compiling LyX documents; a more engineered > > > > remedy > > > > AFAICR was actually the use of sandboxing machineries, which was > > > > prototyped on > > > > Ubuntu/Linux using AppArmor. > > > > > > This is also what I remember. The now secured converters were sweave and > > > knitr, introduced in 2011 and 2012. > > > > +1 > > > > > I see that you have also introduced a gnuplot converter with an example. > > > > > > + Proportionality: unsafety is actually a main feature of gnuplot from > > > what I understand from http://www.yqcomputer.com/320_2475_1.htm > > > + Specificity: only gnuplot is given elevated privileges, which is what > > > the user wants. > > > - UI problem 1: When I open the example, I immediately get the needauth > > > dialog for showing the preview. I thought we only wanted unsafe > > > execution when compiling the document. > > > > I forget what we decided on this. If we don't give the dialog, then we > > should just disable the preview? > > But then if I enable gnuplot for compilation, does it mean that preview > becomes enabled? Then will this be remembered on next opening without > asking? What if I change my mind later on / do not remember? etc. I agree that we need to be careful with preview. Even if the user has disabled needauth, I don't think we would want it to be possible for malicious code to be run just from *opening* a .lyx document. > On the contrary, if preview never uses needauth converters, is it as > useful in cases like gnuplot? By "it" do you mean the external template? > > > It seems to me that needauth, as it is, is not ready for the addition of > > > gnuplot. What do you think? > > > > I'm not sure. Is it less secure than Sweave/knitr? > > At the moment I believe it is less secure, because UI issues discussed > above are more acute currently, That could be, because with gnuplot perhaps preview is more likely. We could just disable preview in the case of needauth converters. > but mainly: > > > Or is your argument > > that those were already there so needauth makes them safer, but we > > should not add any other converter that needs needauth? > > Yes, this is what I believe is the safest route (see answers to your > more specific points in the other message). I see your logic here. > I did not dare suggesting > to remove features that were there since 2011. > Once it is in, then it > has to be supported forever, I believe there is an agreement about this. I wouldn't say this in absolute terms, but I would agree that there's lots of hesitation before removing a feature, and that hesitation only increases with time. But not that we have removed features. For example, we removed support for printing, even though there were still some using the feature. > This is also why I have been suggesting that the most careful choices > are made from the start. Makes sense. Scott
