On Sun, Feb 25, 2018 at 11:38 AM, Phil <phil.s....@gmail.com> wrote: Actually, the security risk would be higher if a Leo file could turn on > @script by itself. >
​Happily, it can't. Only myLeoSettings.leo can set @bool scripting-at-script-nodes = True Security concerns exist for *any* executable that might be shared. Such as .bashrc files or user-defined startup scripts for any editor, including Leo when #740 Execute .leo/leo_startup.py on startup <https://github.com/leo-editor/leo-editor/issues/740> is complete. The more complex (and therefore potentially useful) such files are, the greater the probability of sharing and the greater the risk of malware. These problems aren't ever going to go aware. Backups in separate places are essential. What makes @script nodes more dangerous is that they can easily be hidden in a shared .leo file. This is less true of flat text files, of whatever length or complexity. But the fact remains: it would be crazy to accept any executable file from an unknown source without carefully reviewing its contents. Edward -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to leo-editor+unsubscr...@googlegroups.com. To post to this group, send email to leo-editor@googlegroups.com. Visit this group at https://groups.google.com/group/leo-editor. For more options, visit https://groups.google.com/d/optout.