Re: forwarded message from Jeff Licquia

[David Carlisle <davidc@nag.co.uk>]

> telnetd is a set of machine-language instructions. It doesn't actually
> have any capabilities to do anything.

This misses the point entirely so I'll try stating it another way.
latex essentially runs in a virtual machine provided by tex the program.

If you set the security options for tex-the-program correctly then
the access of any tex document to read and/or write to your filesystem
or to run external programs can be controlled suitably (and turned off
by default in the case of running external programs.)

Assuming TeX is bug free and correctly installed, then there
is _nothing_ you can do in latex that gets round that.
If you manage to find some latex construct that does get round it it is
a bug in TeX. so it needs to be fixed there. In that case the fix will
not be in LPPL code (most likely it is in GPL'ed code, as all TeX's file
and system call handling is GPL in the version of TeX on Debian).


telnetd is not at all similar as those machine instructions are running
in an environment that does have access to secure information, so it is
the responsibility of the program not to do the wrong thing.

More similar would be a java program running in the secure environment
in a browser. If you find an applet that manages to escape from the
browser and trash your filesystem, then fixing the applet isn't really
the right thing to do, you should fix the security lapse in the browser's
JVM.

David

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


-- 
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org