Re: forwarded message from Jeff Licquia
On Thu, 2002-07-18 at 04:59, Martin Schröder wrote:
> On 2002-07-17 14:24:15 -0500, Jeff Licquia wrote:
> > On Wed, 2002-07-17 at 12:23, Javier Bezos wrote:
> > > Let's put it in other words. TeX leaves to the distribution
> > > the decision about how files are read/written. tetex
> > > decides how files are read/written and it's under GPL. Thus, you
> > > can change it if you want. Nothing to do with LaTeX ot LPPL.
> > > After that, explaining the problem of holes in our dangerous
> > > time can be interesting but it's certainly irrelevant.
> >
> > This is irrelevant to my position as stated:
>
> This is absolutely relevant. LaTeX is just a set of macros run
> through an interpreter.
So interpreted languages cannot be insecure?
-----
#!/usr/bin/python
import os
os.unlink("/etc/passwd")
-----
I take it that you would think the proper solution to this problem is to
remove the os.unlink() function from Python?
> The same applies to PostScript: One fixes security holes in the
> interpreter (e.g. GhostScript) and doesn't worry about the
> PostScript files.
This is not true. There are lots of things that you can do in
PostScript by design that can delete files, consume available memory,
etc. That is not the fault of PostScript, but the particular PostScript
files you run.
You seem to be confusing bugs in the interpreter with bugs in
interpreted programs. It is possible for an interpreter to be bug-free,
but programs written in that interpreted language to have bugs.
You also seem to have a lot of faith in sandboxing. Sandboxes work *if
the sandbox model is correct* and the implementation has no bugs. Ask
the Java people about how sandbox models can be incorrect.
--
To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: