Re: wishes for next Lout

[Ian Jackson]

basile starynkevitch writes [SuperCite undone:]
> No. It is a user manual! This is precisely the kind of stuff where I
> want to use Lout for!

So use a preprocessor.

> > *NO*.  In order to read a document properly I need to be able
> > to format it, and this should *not* require me to trust the
> > originator.
> 
> You still will need any specific Lout styles. These may contains
> @Filter-s -that I consider part of them. The fact that styles invoke a
> knowledgable -not arbitrary- program is in my opinion an
> implementation detail. I agree that lout style implementers (these are
> Lout experts, not casuals users) should be aware of security issues.

@Filter can be made to invoke an arbitrary program, and can be
included in documents.

The fact that the only uses of @Filter *at the moment* invoke c2lout
is completely irrelevant.

The fact that people don't usually write documents containing @Filter
directives doesn't mean that they can't.

> Changing the path should be enough. Perhaps the @Filter primitive
> should either have a full pathname (ie /usr/local/bin/c2lout instead
> of c2lout). 

I'm sorry, I'm having great difficulty avoiding becoming very rude at
this point.  What on earth are you talking about ?  How will changing
the PATH prevent malicious documents from specifying whatever command
they like with @Filter.

> I suggest that the default option would be set in the Lout building
> Makefile. Lout installer could change it at will. And portability (ie
> in Makefiles invoking lout for document formatting) would be preserved
> by always expliciting the enable/disable at lout invocation.

One of the best things about Lout is how little editing of Makefiles
needs to be done.

The default for any software should be secure operation, otherwise
people will forget to use the `be-safe' option when it becomes
necessary.  This also encourages people not to do things that require
others who deal with their work to trust them more than is reasonable.

Ian.