Re: LaTeX & DFSG

To: licquia@debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: LaTeX & DFSG
From: David Carlisle <davidc@nag.co.uk>
Date: Mon, 22 Jul 2002 19:18:22 +0100
Message-id: <[🔎] 200207221818.TAA18123@penguin.nag.co.uk>
In-reply-to: <[🔎] 1027360545.1383.32.camel@laptop2.internal.licquia.org> (message from Jeff Licquia on 22 Jul 2002 12:55:45 -0500)
References: <[🔎] 200207221229.NAA14506@penguin.nag.co.uk> <[🔎] 1027360545.1383.32.camel@laptop2.internal.licquia.org>

> The problem is that I do not believe that the security model of TeX and
> the security model of LaTeX are absolutely equivalent.  They may be
> close, but "close" doesn't cut it in the security world.

I don't think they are close. I assert they are the same as latex is just
part of the input to TeX. It is to TeX just the first part of the
document. Any code in latex could be in a document. If you distributed a
security-fixed latex, I could send the old latex.ltx as a document and
tell you it's a document to give to "initex" (rather than latex) and it
would do whatever the old latex did. If you find a security problem then
unless you change the tex executable the security problem will not go
away. If you do change the tex executable then you are not changing
LPPL'ed code (it's most likely GPL).

> Not all Java problems are problems with Java.  In some places, Java
> programs enable se
> However sadly I suppose I will have to agree with

tex has more similarity to "cp" than to java. It doesn't (by default) do system
calls, only has highly restricted file access and just takes a file in
one place and outputs a related file elsewhere. If you find that applying cp
to some document causes a security problem then that is a problem with
cp (or your system file permissions) it isn't a problem with the
document itself. The same is true of a set of tex macros, whether they
are in a document or in the latex format.

However sadly I suppose I'll have to agree with this:

> But I doubt we're going to convince each other.

It is also irrelevant to a general discussion of LPPL, as I commented
before. LPPL is drafted so that it can be applied to any program. If
Debian are going to accept that (some version of) LPPL is acceptable for
their free tree then it is reasonable for you to ask what you could 
do if you found yourself distributing some insecure program that was
LPPL licenced (and was not latex). 

The easy answer is that as it was LPPL'ed you would have access to the
source, you could fix the program and distribute it under a new name.
It would seem that in the vast majority of cases this should be quite
sufficent. If there are cases where that is not sufficient it comes down
to looking at the edge cases of any particular wording in an LPPL draft
where the "rename" rule is relaxed. If we could articulate exactly when
it is reasonable to redistribute without renaming it may be possible to
redraft parts of LPPL to allow that in more cases.

David

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.


-- 
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: LaTeX & DFSG
  - From: Frank Mittelbach <frank.mittelbach@latex-project.org>

References:
- Re: LaTeX & DFSG
  - From: David Carlisle <davidc@nag.co.uk>
- Re: LaTeX & DFSG
  - From: Jeff Licquia <licquia@debian.org>

Prev by Date: Re: forwarded message from Jeff Licquia
Next by Date: Re: User's thoughts about LPPL
Previous by thread: Re: LaTeX & DFSG
Next by thread: Re: LaTeX & DFSG
Index(es):
- Date
- Thread