David + Jeff > > The problem is that I do not believe that the security model of TeX and > > the security model of LaTeX are absolutely equivalent. They may be > > close, but "close" doesn't cut it in the security world. > > I don't think they are close. I assert they are the same as latex is just > part of the input to TeX. It is to TeX just the first part of the > document. Any code in latex could be in a document. If you distributed a > security-fixed latex, I could send the old latex.ltx as a document and > tell you it's a document to give to "initex" (rather than latex) and it > would do whatever the old latex did. If you find a security problem then > unless you change the tex executable the security problem will not go > away. If you do change the tex executable then you are not changing > LPPL'ed code (it's most likely GPL).
please give it a rest as you both are right to a point. The above example should made it clear to Jeff that there is no guarantee to fix anything in LaTeX which is already a problem in TeX. but at the same time it is certainly true that somebody might explicitly intorudce a security problem in the kernel or a latex package that uses the existing features of TeX (which you can't or rather don't want to take away) which is reading and writing files. Even if this is pretty closed up by TeX through not accepting . files or not reading writing outside certain pathes, it is impossible to ensure that important files can't be overwritten or accessed nevertheless. so if, for some reason latex.ltx suddenly contains \openout\foo=<critical file> then i wouldn't want to see that format being distributed to unsupecting users. and what to do then within the LPPL license (i already discussed in an earlier post) so in some sense this is a nice philosophical discussion (and i liked the sandbox fixing metaphor) but we can assume either position without having any bearing on LPPL being DSFG-complient or not. right? frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]