On 18 July 2017 at 11:32, Guillaume MM <g...@lyx.org> wrote: > Once it is in, then it >>> has to be supported forever, I believe there is an agreement about this. >>> >> >> I wouldn't say this in absolute terms, but I would agree that there's >> lots of hesitation before removing a feature, and that hesitation only >> increases with time. But not that we have removed features. For example, >> we removed support for printing, even though there were still some using >> the feature. >> > > I agree, but note that for printing this did not invalidate existing > documents.
I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid of use of needauth converters' and unchecked 'Use needauth option'. Then I opened a LyX doc with a gnuplot script. Result: LyX tried to run the script due to the preview, without asking or alerting me. In my opinion this demonstrates a case where the security is _not_ good enough, as I don't think it'd very difficult to trick someone into unchecking these boxes. I therefore think we should discuss the pros/cons of needauth. If needauth cannot be shown to be secure enough, or if we don't think we can reasonably fix it, then my opinion is that we should discuss removing needauth. Presumably the number of users needing R/knitr/sweave is small compared to the total user base and I don't think it's fair to leave the majority at risk. At the same time I definitely think that users should be able to build their old documents in new releases of LyX. So, if needauth cannot be shown to be good enough, how can we support users of R etc? Some alternatives: - Require that they, for these documents, stay with the 2.2.x-series, until we have a sufficiently good security mechanism. - Only allow the dangerous behaviour of 2.2.x if the user starts LyX 2.3.0 with a special flag. - Force them to compile their own LyX with a special flag set. - ? Regards, Christian
