[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forwarded message from Jeff Licquia

On Wed, 2002-07-17 at 10:34, Martin Schröder wrote:
> On 2002-07-17 10:23:56 -0500, Jeff Licquia wrote:
> > On Wed, 2002-07-17 at 04:35, Martin Schröder wrote:
> > > On 2002-07-17 00:44:21 -0400, Simon Law wrote:
> > > > 	I can imagine latex.ltx containing a couple extra
> > > > \openin15=.ssh/identity , \openin15=.gnupg/secring.gpg and
> > > > \openout15=.shrc commands[2] as put there by someone who has cracked an
> > > 
> > > This is not possible on a default TeX installation.
> > 
> > [quotes about security protections removed]
> > 
> > So you agree that LaTeX can be the source of a security hole.  Having
> 
> No. 

Then the protections you quoted are not necessary?  I'm confused.  Why
were they added if they weren't needed?

> The default installation of teTeX makes it extremly difficult (if
> not impossible) to open any security holes. If you are really
> concerned about security in TeX, you could and should enhance the
> web2c TeX distribution, not LaTeX.

Lots of people have made claims that their software is impregnable, and
cannot be exploited.  Lots of people have been wrong.

Several people in this thread have already quoted several possibilities
where LaTeX could be the vector of a security problem.  If you're going
to claim impossibility, then I'm afraid I'm going to have to ask for
proof.

And if it's not impossible (even if it's just "extremely difficult"),
then our concerns for patching any potential holes that come up are
valid.

> P.S.: Your fear of security holes in LaTeX borders on either
>       ludicrious or paranoid (seen from 25 years of TeX history);
>       it is at best very hypothecial.

In 1995, security holes in Microsoft operating systems were also
hypothetical, even after over 10 years of use.  That didn't make the
holes any less real when they were found.

Microsoft even made some claims way back then that sound awfully similar
to the claims you're making now.

I feel duty-bound to point out that I don't think TeX or LaTeX are any
worse than anything else in this regard; for all I know, they may be
better.  It's just my contention that they fall under the category of
"software produced by humans", and that everything that falls into that
category may potentially be a security problem.  That's all.

> P.P.S.: The same potential "security problems" are relevant to
>         plain.tex, which everyone except Donald Knuth is
>         forbidden to change. Are you going to stop distributing
>         that?

That would be a problem, in my opinion.  Unfortunately, I'm having
trouble verifying the TeX licensing situation, so I can't comment on the
status of TeX in Debian.  I'll check that file out if I can find it.


--
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: