date:20121020

Re: branch warnings

2012-10-20 Thread Jürgen Spitzmüller

Jean-Marc Lasgouttes wrote:
 Can you check that the following patch helps?

Does not seem to help, unfortunately.

Jürgen

 JMarc

Re: Press about LyX

2012-10-20 Thread Jürgen Spitzmüller

Jerry wrote:
 Who among the LyX developers has the power to edit the press page,
 http://www.lyx.org/PressAboutLyX? Daniel has written an article about LyX
 for the HowToAnswer web site and would like to get it linked from the LyX
 press page. Surely this benefits the LyX community as well.

I've added it. Thanks for the review.

Jürgen

Re: branch warnings

2012-10-20 Thread Jean-Marc Lasgouttes

What error message do you get ? The same ?


Jürgen Spitzmüller sp...@lyx.org a écrit :

Jean-Marc Lasgouttes wrote:
 Can you check that the following patch helps?

Does not seem to help, unfortunately.

Jürgen

 JMarc

Re: branch warnings

2012-10-20 Thread Jürgen Spitzmüller

Jean-Marc Lasgouttes wrote:
 What error message do you get ? The same ?

Looks like it:

In file included from ./boost/config.hpp:44:0,
 from libs/regex/src/c_regex_traits.cpp:22:
./boost/config/stdlib/libstdcpp3.hpp:42:0: warning: BOOST_DISABLE_THREADS 
redefined [enabled by default]
In file included from ./boost/config.hpp:26:0,
 from libs/regex/src/c_regex_traits.cpp:22:
../config.h:629:0: note: this is the location of the previous definition

etc.

I've issued ./autogen.sh and reconfigured after applying the patch. I did not 
do a make clean.

Jürgen

Re: $$e not set on import -- import of .Rnw (knitr) fails

2012-10-20 Thread Scott Kostyshak

On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes
lasgout...@lyx.org wrote:
 Le 18/10/2012 16:19, Scott Kostyshak a écrit :

 The unchangedConverter.log is here (error):
 http://paste.debian.net/201557/


 So the error happens on export to latex because the encoding is not
 specified.

The error happens when importing the Rnw in LyX, which from what I
understand currently calls the Rnw - LaTeX (plain) converter and then
run tex2lyx.

 I think I do not understand what you do exactly. Does the same happen with
 Sweave (I do not have knitr here)?

Yes, the same happens with Sweave because the converter Sweave -
LaTeX (plain) has a $$e and that string is set to empty because of the
following code:
command = subst(command, token_encoding, buffer ?
buffer-params().encoding().iconvName() : string());

 Could you send me an example file and a
 step by step description of what you actually do?

Yes. I've been using the example file that comes with LyX but I think
that the same error would occur with trying to import any .Rnw file
via Sweave or knitr.

1. Start a clean LyX instance from current master branch (although I
have the same problem in branch. I wonder if importing a .Rnw has
worked at some point?).
2. File  Open  Examples button  sweave.lyx
3. File  Export  Export As  [tempfolder]/sweaveexample.Rnw  (select
the Sweave (.Rnw) format)
4. Close the current document (the sweave.lyx file) just to make sure
that it's not involved with the import probem.
5. File  Import  Sweave...  [tempfolder]/sweaveexample.Rnw
6. At this point I get an error.

Here are steps to show that (1) it is indeed the Sweave - LaTeX
(plain) converter that is being used and (2) that setting the $$e
variable improves things:
7. Close the error box from (6).
8. Go to Tools  Preferences  File Handling  Converters  select
Sweave - LaTeX (plain) and in the Converter text box manually delete
$$e and insert in it's place ISO-8859-15 so that the converter is
now:
Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R
$$p$$i $$p$$o ISO-8859-15 $$r
9. Click the Modify button.
10. Click the Save button.
11. Repeat step (5).
12. The .Rnw is now partly imported. There will be other problems in
the import process which I think are due to tex2lyx, but these
problems are different from the Rnw - tex problem I am reporting
here.

Is the solution to modify lyxsweave.R and lyxknitr.R so that if they
are not passed an encoding they should just not change the encoding
from the default R one? This would be easy to do.

Thanks,

Scott

Re: $$e not set on import -- import of .Rnw (knitr) fails

2012-10-20 Thread Yihui Xie

I think it should be easy to ignore the encoding argument if it does
not exist, but the problem that confuses me is why importing Rnw is
involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated
as a normal TeX document (the R code should not be executed through
Sweave or knitr), except that the code chunks (between = and @)
should be treated differently, e.g. as ERT.

Regards,
Yihui
--
Yihui Xie xieyi...@gmail.com
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 11:13 AM, Scott Kostyshak skost...@lyx.org wrote:
 On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes
 lasgout...@lyx.org wrote:
 Le 18/10/2012 16:19, Scott Kostyshak a écrit :

 The unchangedConverter.log is here (error):
 http://paste.debian.net/201557/


 So the error happens on export to latex because the encoding is not
 specified.

 The error happens when importing the Rnw in LyX, which from what I
 understand currently calls the Rnw - LaTeX (plain) converter and then
 run tex2lyx.

 I think I do not understand what you do exactly. Does the same happen with
 Sweave (I do not have knitr here)?

 Yes, the same happens with Sweave because the converter Sweave -
 LaTeX (plain) has a $$e and that string is set to empty because of the
 following code:
 command = subst(command, token_encoding, buffer ?
 buffer-params().encoding().iconvName() : string());

 Could you send me an example file and a
 step by step description of what you actually do?

 Yes. I've been using the example file that comes with LyX but I think
 that the same error would occur with trying to import any .Rnw file
 via Sweave or knitr.

 1. Start a clean LyX instance from current master branch (although I
 have the same problem in branch. I wonder if importing a .Rnw has
 worked at some point?).
 2. File  Open  Examples button  sweave.lyx
 3. File  Export  Export As  [tempfolder]/sweaveexample.Rnw  (select
 the Sweave (.Rnw) format)
 4. Close the current document (the sweave.lyx file) just to make sure
 that it's not involved with the import probem.
 5. File  Import  Sweave...  [tempfolder]/sweaveexample.Rnw
 6. At this point I get an error.

 Here are steps to show that (1) it is indeed the Sweave - LaTeX
 (plain) converter that is being used and (2) that setting the $$e
 variable improves things:
 7. Close the error box from (6).
 8. Go to Tools  Preferences  File Handling  Converters  select
 Sweave - LaTeX (plain) and in the Converter text box manually delete
 $$e and insert in it's place ISO-8859-15 so that the converter is
 now:
 Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R
 $$p$$i $$p$$o ISO-8859-15 $$r
 9. Click the Modify button.
 10. Click the Save button.
 11. Repeat step (5).
 12. The .Rnw is now partly imported. There will be other problems in
 the import process which I think are due to tex2lyx, but these
 problems are different from the Rnw - tex problem I am reporting
 here.

 Is the solution to modify lyxsweave.R and lyxknitr.R so that if they
 are not passed an encoding they should just not change the encoding
 from the default R one? This would be easy to do.

 Thanks,

 Scott

Re: $$e not set on import -- import of .Rnw (knitr) fails

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 6:17 PM, Yihui Xie x...@yihui.name wrote:
 I think it should be easy to ignore the encoding argument if it does
 not exist, but the problem that confuses me is why importing Rnw is
 involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated
 as a normal TeX document (the R code should not be executed through
 Sweave or knitr), except that the code chunks (between = and @)
 should be treated differently, e.g. as ERT.

You're right. Now I understand what JMarc was saying -- this converter
should not be used for importing. This is the problem.

Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Yihui Xie

I think that should be enough. A pointer to the knitr manual in
Help--Specific Manuals--Knitr Manual can be helpful too (I
remember Liviu mentioned this once).

BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
Otherwise users may not be able to open this file (\lyxformat 424 is
too high).

Thanks!

Regards,
Yihui
--
Yihui Xie xieyi...@gmail.com
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak skost...@lyx.org wrote:

 OK thanks for the tips. I'm guessing it's OK to update the format in
 trunk when changing the manuals?

 I don't think anything in-depth needs to be written there about knitr
 in the Additional manual because knitr already has a manual for use
 with LyX. However, it is currently an example. The only thing
 unmanual-like about knitr.lyx is its length, but in my opinion it is
 sufficient as is, especially because a lot that is in the Sweave
 manual applies to knitr.

 Attached is a patch to update the Additional manual. Is it OK?

 Thanks,

 Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie x...@yihui.name wrote:
 I think that should be enough. A pointer to the knitr manual in
 Help--Specific Manuals--Knitr Manual can be helpful too (I
 remember Liviu mentioned this once).

Sure, I can do that. Pavel, is that OK? Trunk only?

 BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
 https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
 Otherwise users may not be able to open this file (\lyxformat 424 is
 too high).

424 is only for the master branch. knitr.lyx in the 2.0.x branch has
format 413. I think this is consistent with the other manuals. Am I
missing something?

Thanks,

Scott

 Thanks!

 Regards,
 Yihui
 --
 Yihui Xie xieyi...@gmail.com
 Phone: 515-294-2465 Web: http://yihui.name
 Department of Statistics, Iowa State University
 2215 Snedecor Hall, Ames, IA


 On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak skost...@lyx.org wrote:

 OK thanks for the tips. I'm guessing it's OK to update the format in
 trunk when changing the manuals?

 I don't think anything in-depth needs to be written there about knitr
 in the Additional manual because knitr already has a manual for use
 with LyX. However, it is currently an example. The only thing
 unmanual-like about knitr.lyx is its length, but in my opinion it is
 sufficient as is, especially because a lot that is in the Sweave
 manual applies to knitr.

 Attached is a patch to update the Additional manual. Is it OK?

 Thanks,

 Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Yihui Xie

I see. I did not check out the 2.0.x branch. It is indeed 413 there. Thanks!

Regards,
Yihui
--
Yihui Xie xieyi...@gmail.com
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 5:53 PM, Scott Kostyshak skost...@lyx.org wrote:
 On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie x...@yihui.name wrote:
 I think that should be enough. A pointer to the knitr manual in
 Help--Specific Manuals--Knitr Manual can be helpful too (I
 remember Liviu mentioned this once).

 Sure, I can do that. Pavel, is that OK? Trunk only?

 BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
 https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
 Otherwise users may not be able to open this file (\lyxformat 424 is
 too high).

 424 is only for the master branch. knitr.lyx in the 2.0.x branch has
 format 413. I think this is consistent with the other manuals. Am I
 missing something?

 Thanks,

 Scott

knitr and Sweave security

2012-10-20 Thread Scott Kostyshak

I do not see knitr and Sweave security discussed anywhere. The
Customization guide has 5 paragraphs on security regarding external
templates.

For example, someone could post a .lyx file asking for help that
contains malicious code. I don't always check the list of modules that
a document has and sometimes it might be hard to go through the entire
file looking at the chunks of code (which might not stand out since
they can be collapsed) before compiling. Using R's system command,
one can run arbitrary commands, downloading/uploading or deleting
information.

In the external template support, measures are taken to restrict the
access that the user has to the shell.

I do not see any options that Rscript can accept to provide more security.

Any thoughts as far as improving security, warning the user, or documentation?

Thanks,

Scott

Re: knitr and Sweave security

2012-10-20 Thread Yihui Xie

I do not see an obvious approach to solve this issue except
documenting the potential security problem in the manual. It exists in
all R-related applications, including R packages. I have seen people
collecting keywords like system() and file.remove(), but that is
apparently far from a perfect solution. Education is probably the only
way...

Regards,
Yihui
--
Yihui Xie xieyi...@gmail.com
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak skost...@lyx.org wrote:
 I do not see knitr and Sweave security discussed anywhere. The
 Customization guide has 5 paragraphs on security regarding external
 templates.

 For example, someone could post a .lyx file asking for help that
 contains malicious code. I don't always check the list of modules that
 a document has and sometimes it might be hard to go through the entire
 file looking at the chunks of code (which might not stand out since
 they can be collapsed) before compiling. Using R's system command,
 one can run arbitrary commands, downloading/uploading or deleting
 information.

 In the external template support, measures are taken to restrict the
 access that the user has to the shell.

 I do not see any options that Rscript can accept to provide more security.

 Any thoughts as far as improving security, warning the user, or documentation?

 Thanks,

 Scott

Re: knitr and Sweave security

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 10:18 PM, Yihui Xie x...@yihui.name wrote:
 I do not see an obvious approach to solve this issue except
 documenting the potential security problem in the manual. It exists in
 all R-related applications, including R packages. I have seen people
 collecting keywords like system() and file.remove(), but that is
 apparently far from a perfect solution. Education is probably the only
 way...

You mean searching the chunk for the word system? I agree that it
would be useless:
first - sy
second - stem
do.call(paste(first,second,sep=),list(command=echo I still have
access  tempfile.txt))

What if knitr overrides the system function before processing the chunk?
My guess is that it's not a good idea: there is probably a way around
it, there are many other functions that would need to be blacklisted
and overridden, and it would probably cause more bugs than security.
But I wanted to throw it out there.

Thanks,

Scott


 Regards,
 Yihui
 --
 Yihui Xie xieyi...@gmail.com
 Phone: 515-294-2465 Web: http://yihui.name
 Department of Statistics, Iowa State University
 2215 Snedecor Hall, Ames, IA


 On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak skost...@lyx.org wrote:
 I do not see knitr and Sweave security discussed anywhere. The
 Customization guide has 5 paragraphs on security regarding external
 templates.

 For example, someone could post a .lyx file asking for help that
 contains malicious code. I don't always check the list of modules that
 a document has and sometimes it might be hard to go through the entire
 file looking at the chunks of code (which might not stand out since
 they can be collapsed) before compiling. Using R's system command,
 one can run arbitrary commands, downloading/uploading or deleting
 information.

 In the external template support, measures are taken to restrict the
 access that the user has to the shell.

 I do not see any options that Rscript can accept to provide more security.

 Any thoughts as far as improving security, warning the user, or 
 documentation?

 Thanks,

 Scott

Re: knitr and Sweave security

2012-10-20 Thread Yihui Xie

The blacklist-based solution can stop nothing as you showed, so I
think we cannot do much except writing it in the documentation.

Regards,
Yihui
--
Yihui Xie xieyi...@gmail.com
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 9:41 PM, Scott Kostyshak skost...@lyx.org wrote:

 You mean searching the chunk for the word system? I agree that it
 would be useless:
 first - sy
 second - stem
 do.call(paste(first,second,sep=),list(command=echo I still have
 access  tempfile.txt))

 What if knitr overrides the system function before processing the chunk?
 My guess is that it's not a good idea: there is probably a way around
 it, there are many other functions that would need to be blacklisted
 and overridden, and it would probably cause more bugs than security.
 But I wanted to throw it out there.

 Thanks,

 Scott

Re: branch warnings

2012-10-20 Thread Jürgen Spitzmüller

Jean-Marc Lasgouttes wrote:
> Can you check that the following patch helps?

Does not seem to help, unfortunately.

Jürgen

> JMarc

Re: Press about LyX

2012-10-20 Thread Jürgen Spitzmüller

Jerry wrote:
> Who among the LyX developers has the power to edit the press page,
> http://www.lyx.org/PressAboutLyX? Daniel has written an article about LyX
> for the HowToAnswer web site and would like to get it linked from the LyX
> press page. Surely this benefits the LyX community as well.

I've added it. Thanks for the review.

Jürgen

Re: branch warnings

2012-10-20 Thread Jean-Marc Lasgouttes

What error message do you get ? The same ?


"Jürgen Spitzmüller"  a écrit :

>Jean-Marc Lasgouttes wrote:
>> Can you check that the following patch helps?
>
>Does not seem to help, unfortunately.
>
>Jürgen
>
>> JMarc

Re: branch warnings

2012-10-20 Thread Jürgen Spitzmüller

Jean-Marc Lasgouttes wrote:
> What error message do you get ? The same ?

Looks like it:

In file included from ./boost/config.hpp:44:0,
 from libs/regex/src/c_regex_traits.cpp:22:
./boost/config/stdlib/libstdcpp3.hpp:42:0: warning: "BOOST_DISABLE_THREADS" 
redefined [enabled by default]
In file included from ./boost/config.hpp:26:0,
 from libs/regex/src/c_regex_traits.cpp:22:
../config.h:629:0: note: this is the location of the previous definition

etc.

I've issued ./autogen.sh and reconfigured after applying the patch. I did not 
do a make clean.

Jürgen

Re: $$e not set on import --> import of .Rnw (knitr) fails

2012-10-20 Thread Scott Kostyshak

On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes
 wrote:
> Le 18/10/2012 16:19, Scott Kostyshak a écrit :
>
>> The unchangedConverter.log is here (error):
>> http://paste.debian.net/201557/
>
>
> So the error happens on export to latex because the encoding is not
> specified.

The error happens when importing the Rnw in LyX, which from what I
understand currently calls the Rnw -> LaTeX (plain) converter and then
run tex2lyx.

> I think I do not understand what you do exactly. Does the same happen with
> Sweave (I do not have knitr here)?

Yes, the same happens with Sweave because the converter Sweave ->
LaTeX (plain) has a $$e and that string is set to empty because of the
following code:
command = subst(command, token_encoding, buffer ?
buffer->params().encoding().iconvName() : string());

> Could you send me an example file and a
> step by step description of what you actually do?

Yes. I've been using the example file that comes with LyX but I think
that the same error would occur with trying to import any .Rnw file
via Sweave or knitr.

1. Start a clean LyX instance from current master branch (although I
have the same problem in branch. I wonder if importing a .Rnw has
worked at some point?).
2. File > Open > Examples button > sweave.lyx
3. File > Export > Export As > [tempfolder]/sweaveexample.Rnw  (select
the Sweave (.Rnw) format)
4. Close the current document (the sweave.lyx file) just to make sure
that it's not involved with the import probem.
5. File > Import > Sweave... > [tempfolder]/sweaveexample.Rnw
6. At this point I get an error.

Here are steps to show that (1) it is indeed the Sweave -> LaTeX
(plain) converter that is being used and (2) that setting the $$e
variable improves things:
7. Close the error box from (6).
8. Go to Tools > Preferences > File Handling > Converters > select
Sweave -> LaTeX (plain) and in the Converter text box manually delete
"$$e" and insert in it's place "ISO-8859-15" so that the converter is
now:
Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R
$$p$$i $$p$$o ISO-8859-15 $$r
9. Click the Modify button.
10. Click the Save button.
11. Repeat step (5).
12. The .Rnw is now partly imported. There will be other problems in
the import process which I think are due to tex2lyx, but these
problems are different from the Rnw -> tex problem I am reporting
here.

Is the solution to modify lyxsweave.R and lyxknitr.R so that if they
are not passed an encoding they should just not change the encoding
from the default R one? This would be easy to do.

Thanks,

Scott

Re: $$e not set on import --> import of .Rnw (knitr) fails

2012-10-20 Thread Yihui Xie

I think it should be easy to ignore the encoding argument if it does
not exist, but the problem that confuses me is why importing Rnw is
involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated
as a normal TeX document (the R code should not be executed through
Sweave or knitr), except that the code chunks (between <<>>= and @)
should be treated differently, e.g. as ERT.

Regards,
Yihui
--
Yihui Xie 
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 11:13 AM, Scott Kostyshak  wrote:
> On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes
>  wrote:
>> Le 18/10/2012 16:19, Scott Kostyshak a écrit :
>>
>>> The unchangedConverter.log is here (error):
>>> http://paste.debian.net/201557/
>>
>>
>> So the error happens on export to latex because the encoding is not
>> specified.
>
> The error happens when importing the Rnw in LyX, which from what I
> understand currently calls the Rnw -> LaTeX (plain) converter and then
> run tex2lyx.
>
>> I think I do not understand what you do exactly. Does the same happen with
>> Sweave (I do not have knitr here)?
>
> Yes, the same happens with Sweave because the converter Sweave ->
> LaTeX (plain) has a $$e and that string is set to empty because of the
> following code:
> command = subst(command, token_encoding, buffer ?
> buffer->params().encoding().iconvName() : string());
>
>> Could you send me an example file and a
>> step by step description of what you actually do?
>
> Yes. I've been using the example file that comes with LyX but I think
> that the same error would occur with trying to import any .Rnw file
> via Sweave or knitr.
>
> 1. Start a clean LyX instance from current master branch (although I
> have the same problem in branch. I wonder if importing a .Rnw has
> worked at some point?).
> 2. File > Open > Examples button > sweave.lyx
> 3. File > Export > Export As > [tempfolder]/sweaveexample.Rnw  (select
> the Sweave (.Rnw) format)
> 4. Close the current document (the sweave.lyx file) just to make sure
> that it's not involved with the import probem.
> 5. File > Import > Sweave... > [tempfolder]/sweaveexample.Rnw
> 6. At this point I get an error.
>
> Here are steps to show that (1) it is indeed the Sweave -> LaTeX
> (plain) converter that is being used and (2) that setting the $$e
> variable improves things:
> 7. Close the error box from (6).
> 8. Go to Tools > Preferences > File Handling > Converters > select
> Sweave -> LaTeX (plain) and in the Converter text box manually delete
> "$$e" and insert in it's place "ISO-8859-15" so that the converter is
> now:
> Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R
> $$p$$i $$p$$o ISO-8859-15 $$r
> 9. Click the Modify button.
> 10. Click the Save button.
> 11. Repeat step (5).
> 12. The .Rnw is now partly imported. There will be other problems in
> the import process which I think are due to tex2lyx, but these
> problems are different from the Rnw -> tex problem I am reporting
> here.
>
> Is the solution to modify lyxsweave.R and lyxknitr.R so that if they
> are not passed an encoding they should just not change the encoding
> from the default R one? This would be easy to do.
>
> Thanks,
>
> Scott

Re: $$e not set on import --> import of .Rnw (knitr) fails

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 6:17 PM, Yihui Xie  wrote:
> I think it should be easy to ignore the encoding argument if it does
> not exist, but the problem that confuses me is why importing Rnw is
> involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated
> as a normal TeX document (the R code should not be executed through
> Sweave or knitr), except that the code chunks (between <<>>= and @)
> should be treated differently, e.g. as ERT.

You're right. Now I understand what JMarc was saying -- this converter
should not be used for importing. This is the problem.

Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Yihui Xie

I think that should be enough. A pointer to the knitr manual in
"Help-->Specific Manuals-->Knitr Manual" can be helpful too (I
remember Liviu mentioned this once).

BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
Otherwise users may not be able to open this file (\lyxformat 424 is
too high).

Thanks!

Regards,
Yihui
--
Yihui Xie 
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA

On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak  wrote:
>
> OK thanks for the tips. I'm guessing it's OK to update the format in
> trunk when changing the manuals?
>
> I don't think anything in-depth needs to be written there about knitr
> in the Additional manual because knitr already has a "manual" for use
> with LyX. However, it is currently an example. The only thing
> unmanual-like about knitr.lyx is its length, but in my opinion it is
> sufficient as is, especially because a lot that is in the Sweave
> manual applies to knitr.
>
> Attached is a patch to update the Additional manual. Is it OK?
>
> Thanks,
>
> Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie  wrote:
> I think that should be enough. A pointer to the knitr manual in
> "Help-->Specific Manuals-->Knitr Manual" can be helpful too (I
> remember Liviu mentioned this once).

Sure, I can do that. Pavel, is that OK? Trunk only?

> BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
> https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
> Otherwise users may not be able to open this file (\lyxformat 424 is
> too high).

424 is only for the master branch. knitr.lyx in the 2.0.x branch has
format 413. I think this is consistent with the other manuals. Am I
missing something?

Thanks,

Scott

> Thanks!
>
> Regards,
> Yihui
> --
> Yihui Xie 
> Phone: 515-294-2465 Web: http://yihui.name
> Department of Statistics, Iowa State University
> 2215 Snedecor Hall, Ames, IA
>
>
> On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak  wrote:
>>
>> OK thanks for the tips. I'm guessing it's OK to update the format in
>> trunk when changing the manuals?
>>
>> I don't think anything in-depth needs to be written there about knitr
>> in the Additional manual because knitr already has a "manual" for use
>> with LyX. However, it is currently an example. The only thing
>> unmanual-like about knitr.lyx is its length, but in my opinion it is
>> sufficient as is, especially because a lot that is in the Sweave
>> manual applies to knitr.
>>
>> Attached is a patch to update the Additional manual. Is it OK?
>>
>> Thanks,
>>
>> Scott

Re: Noweb/Literate programming Copier problem

2012-10-20 Thread Yihui Xie

I see. I did not check out the 2.0.x branch. It is indeed 413 there. Thanks!

Regards,
Yihui
--
Yihui Xie 
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 5:53 PM, Scott Kostyshak  wrote:
> On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie  wrote:
>> I think that should be enough. A pointer to the knitr manual in
>> "Help-->Specific Manuals-->Knitr Manual" can be helpful too (I
>> remember Liviu mentioned this once).
>
> Sure, I can do that. Pavel, is that OK? Trunk only?
>
>> BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here:
>> https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705
>> Otherwise users may not be able to open this file (\lyxformat 424 is
>> too high).
>
> 424 is only for the master branch. knitr.lyx in the 2.0.x branch has
> format 413. I think this is consistent with the other manuals. Am I
> missing something?
>
> Thanks,
>
> Scott
>

knitr and Sweave security

2012-10-20 Thread Scott Kostyshak

I do not see knitr and Sweave security discussed anywhere. The
Customization guide has 5 paragraphs on security regarding external
templates.

For example, someone could post a .lyx file asking for help that
contains malicious code. I don't always check the list of modules that
a document has and sometimes it might be hard to go through the entire
file looking at the chunks of code (which might not stand out since
they can be collapsed) before compiling. Using R's "system" command,
one can run arbitrary commands, downloading/uploading or deleting
information.

In the external template support, measures are taken to restrict the
access that the user has to the shell.

I do not see any options that Rscript can accept to provide more security.

Any thoughts as far as improving security, warning the user, or documentation?

Thanks,

Scott

Re: knitr and Sweave security

2012-10-20 Thread Yihui Xie

I do not see an obvious approach to solve this issue except
documenting the potential security problem in the manual. It exists in
all R-related applications, including R packages. I have seen people
collecting keywords like system() and file.remove(), but that is
apparently far from a perfect solution. Education is probably the only
way...

Regards,
Yihui
--
Yihui Xie 
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak  wrote:
> I do not see knitr and Sweave security discussed anywhere. The
> Customization guide has 5 paragraphs on security regarding external
> templates.
>
> For example, someone could post a .lyx file asking for help that
> contains malicious code. I don't always check the list of modules that
> a document has and sometimes it might be hard to go through the entire
> file looking at the chunks of code (which might not stand out since
> they can be collapsed) before compiling. Using R's "system" command,
> one can run arbitrary commands, downloading/uploading or deleting
> information.
>
> In the external template support, measures are taken to restrict the
> access that the user has to the shell.
>
> I do not see any options that Rscript can accept to provide more security.
>
> Any thoughts as far as improving security, warning the user, or documentation?
>
> Thanks,
>
> Scott

Re: knitr and Sweave security

2012-10-20 Thread Scott Kostyshak

On Sat, Oct 20, 2012 at 10:18 PM, Yihui Xie  wrote:
> I do not see an obvious approach to solve this issue except
> documenting the potential security problem in the manual. It exists in
> all R-related applications, including R packages. I have seen people
> collecting keywords like system() and file.remove(), but that is
> apparently far from a perfect solution. Education is probably the only
> way...

You mean searching the chunk for the word "system"? I agree that it
would be useless:
first <- "sy"
second <- "stem"
do.call(paste(first,second,sep=""),list(command="echo I still have
access >> tempfile.txt"))

What if knitr overrides the "system" function before processing the chunk?
My guess is that it's not a good idea: there is probably a way around
it, there are many other functions that would need to be blacklisted
and overridden, and it would probably cause more bugs than security.
But I wanted to throw it out there.

Thanks,

Scott

>
> Regards,
> Yihui
> --
> Yihui Xie 
> Phone: 515-294-2465 Web: http://yihui.name
> Department of Statistics, Iowa State University
> 2215 Snedecor Hall, Ames, IA
>
>
> On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak  wrote:
>> I do not see knitr and Sweave security discussed anywhere. The
>> Customization guide has 5 paragraphs on security regarding external
>> templates.
>>
>> For example, someone could post a .lyx file asking for help that
>> contains malicious code. I don't always check the list of modules that
>> a document has and sometimes it might be hard to go through the entire
>> file looking at the chunks of code (which might not stand out since
>> they can be collapsed) before compiling. Using R's "system" command,
>> one can run arbitrary commands, downloading/uploading or deleting
>> information.
>>
>> In the external template support, measures are taken to restrict the
>> access that the user has to the shell.
>>
>> I do not see any options that Rscript can accept to provide more security.
>>
>> Any thoughts as far as improving security, warning the user, or 
>> documentation?
>>
>> Thanks,
>>
>> Scott

Re: knitr and Sweave security

2012-10-20 Thread Yihui Xie

The blacklist-based solution can stop nothing as you showed, so I
think we cannot do much except writing it in the documentation.

Regards,
Yihui
--
Yihui Xie 
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA


On Sat, Oct 20, 2012 at 9:41 PM, Scott Kostyshak  wrote:
>
> You mean searching the chunk for the word "system"? I agree that it
> would be useless:
> first <- "sy"
> second <- "stem"
> do.call(paste(first,second,sep=""),list(command="echo I still have
> access >> tempfile.txt"))
>
> What if knitr overrides the "system" function before processing the chunk?
> My guess is that it's not a good idea: there is probably a way around
> it, there are many other functions that would need to be blacklisted
> and overridden, and it would probably cause more bugs than security.
> But I wanted to throw it out there.
>
> Thanks,
>
> Scott

Re: branch warnings

Re: Press about LyX

Re: branch warnings

Re: branch warnings

Re: $$e not set on import -- import of .Rnw (knitr) fails

Re: $$e not set on import -- import of .Rnw (knitr) fails

Re: $$e not set on import -- import of .Rnw (knitr) fails

Re: Noweb/Literate programming Copier problem

Re: Noweb/Literate programming Copier problem

Re: Noweb/Literate programming Copier problem

knitr and Sweave security

Re: knitr and Sweave security

Re: knitr and Sweave security

Re: knitr and Sweave security

Re: branch warnings

Re: Press about LyX

Re: branch warnings

Re: branch warnings

Re: $$e not set on import --> import of .Rnw (knitr) fails

Re: $$e not set on import --> import of .Rnw (knitr) fails

Re: $$e not set on import --> import of .Rnw (knitr) fails

Re: Noweb/Literate programming Copier problem

Re: Noweb/Literate programming Copier problem

Re: Noweb/Literate programming Copier problem

knitr and Sweave security

Re: knitr and Sweave security

Re: knitr and Sweave security

Re: knitr and Sweave security

28 matches

Site Navigation

Mail list logo

Footer information