[I wrote about LyX document virus]
> That's an interesting idea. This would happen if we allow the
> documents themselves to contain macros. I think that this is a bad
> idea at this point of time.
Yes, but I think we want to aim for this, and therefor, we should
consider this now.
> In fact, I'd like us to improve the lyx server and use it temporarily
> as macro support. In fact, I am not sure that we will have time to
> implement a macro language (that works in an useful way) and put it
> to actual use for next major release. We already have a lot of major
> things to do.
Ok, so we have agreed that scripting is a version 1.1 issue.
But that doesn't stop us from doing the considerations/implementation
now. And I think we should get it right the first time, complete
and integrated.
> Can you be more specific on what we should/shouldn't do? I personally
> think we should disable macros in documents completely. This is fancy,
> but maybe not so useful.
We should handle security practically the same way as browsers
do it with Java: If the program is not "certified", the access
to all system features is disabled.
In essence, this means that the scripts will not be allowed to
open anything but LyX documents (and other format we can import)
that the script knows the specific filename for, and that the
script will not be allowed to write anything except LyX documents
(and other formats we export).
Also, the script will not be allowed to overwrite a file without the
user having the option to cancel.
All other system access is denied. This includes sending mails,
spawning processes, etc., etc.
In theory, this allows for one malicious open aspect: Filling
up the harddisk with dummy LyX documents, so maybe we need to
require that the user should confirm any writing of a document,
and furthermore be warned if the document is more than, say
a MegaByte in size.
Next to this restricted mode, we should allow a "thrusted" mode,
where the user can say that this specific script is thrusted
code. In thrusted mode, the scripting language will be complete,
and thus we can implement versioning control, compiler-support,
play-by-mail games, and what ever we would like. But only if
the user specifically grants a given script/LyX document the rights by
hand.
And it should not be as simple as saying "yes" to a dialog to
grant this right. It has to be an active and deliberate and
considered action that is initiated by the user himself.
Later, we can provide more advanced thrusting control -- for instance,
it would be logical to add an option to thrust all "official" LyX
documents authored by the clever and nice LyX developers.
But this is more complicated, because we would have to use some
kind of encryption technology to electronically sign the documents
so that an "official" LyX document can't be easily faked.
> Do you fear that I run away with all the money?
No, it's just that you are too valuable to loose. (sob, sob)
Greets,
Asger
