[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LaTeX & DFSG

David + Jeff

 > > The problem is that I do not believe that the security model of TeX and
 > > the security model of LaTeX are absolutely equivalent.  They may be
 > > close, but "close" doesn't cut it in the security world.
 > I don't think they are close. I assert they are the same as latex is just
 > part of the input to TeX. It is to TeX just the first part of the
 > document. Any code in latex could be in a document. If you distributed a
 > security-fixed latex, I could send the old latex.ltx as a document and
 > tell you it's a document to give to "initex" (rather than latex) and it
 > would do whatever the old latex did. If you find a security problem then
 > unless you change the tex executable the security problem will not go
 > away. If you do change the tex executable then you are not changing
 > LPPL'ed code (it's most likely GPL).

please give it a rest as you both are right to a point. The above example
should made it clear to Jeff that there is no guarantee to fix anything in
LaTeX which is already a problem in TeX. 

but at the same time it is certainly true that somebody might explicitly
intorudce a security problem in the kernel or a latex package that uses the
existing features of TeX (which you can't or rather don't want to take away)
which is reading and writing files. Even if this is pretty closed up by TeX
through not accepting . files or not reading writing outside certain
pathes, it is impossible to ensure that important files can't be overwritten
or accessed nevertheless.

so if, for some reason latex.ltx suddenly contains 
\openout\foo=<critical file> then i wouldn't want to see that format being
distributed to unsupecting users. and what to do then within the LPPL license
(i already discussed in an earlier post)

so in some sense this is a nice philosophical discussion (and i liked the
sandbox fixing metaphor) but we can assume either position without having any
bearing on LPPL being DSFG-complient or not.



To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: