Re: forwarded message from Jeff Licquia

To: licquia@debian.org, debian-legal@lists.debian.org
Subject: Re: forwarded message from Jeff Licquia
From: David Carlisle <davidc@nag.co.uk>
Date: Wed, 17 Jul 2002 17:48:22 +0100
Message-id: <[🔎] 200207171648.RAA30073@penguin.nag.co.uk>


> Several people in this thread have already quoted several possibilities
> where LaTeX could be the vector of a security problem.  If you're going
> to claim impossibility, then I'm afraid I'm going to have to ask for
> proof.

Actually in the case of latex itself the proof is trivial to provide.

LaTeX is a set of macros. It doesn't actually have any capabilities to
do anything.

Any effect of running latex on a document is a result of the macro
expansion engine or the execution of the primitive commands 
into which latex constructs expand.

The expansion engine and the execution engine are both tex-the-program.

So any security issues in latex are not in latex itself (or LPPL'ed
code) but must be due to issues in the underlying tex engine. As a
compiled program with write access to the filesystem, that is of course 
subject to the usual raft of issues, but it isn't under LPPL, most of it
is under a "don't change it if you are not Don Knuth" licence, although
the part that access the filesystem is GPL'ed as it happens.
(TeX's file handling is just a stub into which system dependant code
needs to be added, debian uses web2c based tetex and all the web2c
file handling code is GPL)

Of course, for other programs that might be placed under LPPL
this specific line of reasoning would not apply.
But in general I'd say that if you wanted to change a program because of
security issues, changing the name of the program at the same time isn't
so bad. It lets people know whether they have a good or bad version.
So I don't see an LPPL licence as a threat to security.

David

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


-- 
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: forwarded message from Jeff Licquia
  - From: Henning Makholm <henning@makholm.net>

Prev by Date: Re: Standartization and TeX
Next by Date: Re: forwarded message from Jeff Licquia
Previous by thread: Re: forwarded message from Jeff Licquia
Next by thread: Re: forwarded message from Jeff Licquia
Index(es):
- Date
- Thread