Le 18/07/2017 à 23:27, Jean-Marc Lasgouttes a écrit :
Le 18/07/2017 à 23:24, Christian Ridderström a écrit :
The threat model is one important aspect, but it's difficult for us to
know who uses LyX and in which industries. Or how many users there are
at all. And how many of them that use converters. If we can achieve
good security we don't need to care about user / usage statistics though.
If we talk principles, I think we should aim for really good security
and then discuss compromises for what's not doable. But I do think we
could do a whole lot better than the current 'needauth'.
+1
As I wrote privately, we could have a page describing how to make LyX
secure. Or even provide a compilation flag that removes dangerous features:
- disable needauth files
- somewhat limit what is read from the user directory to the bare minimum.
JMarc
Meep! Principle 1: "Things don’t become unsafe all by themselves
(Explicit authority)". This means in particular: the secure settings are
the default.
More generally, about the discussion becoming "crazy": academics have
come up with principles that everybody can apply for designing secure
UIs (we do trust them on this list, do we? ;). I see several virtues to
starting from such principles: this keeps the discussion focused, we do
not reinvent the wheel, we do not need to do guesswork on who are the
users and their threat vectors (whether they work in a philosophy
department or a P4 lab :).
Even considering this, I agree that this looks like a heavy discussion,
and I did not imagine it taking place between feature-freeze and beta
release. But if Scott decides to take the time to get to a good
implementation of needauth for 2.3, he will deserve credit for this.
(To add to the list: the "shoot yourself in the foot" option should be
removed IMO.)
