[texworks] Lua scripting

T T t34www at googlemail.com
Sun Jun 14 14:42:06 CEST 2009


On 14/06/2009, Bruno Voisin <bvoisin at me.com> wrote:
> Le 14 juin 09 ą 00:11, Jérome Laurens a écrit :
>
>> Le 13 juin 09 ą 22:26, Reinhard Kotucha a écrit :
>>
>>> On 11 June 2009 T T wrote:
>>>
>>>> On 11/06/2009, Hans Hagen <pragma at wxs.nl> wrote:
>>>>
>>>> If
>>>> someone is stupid enough to run a random piece of code from a random
>>>> place, I'd say they get what they deserve.
>
> That's a rather rude thing to say.
>
> The way most viruses and trojans propagate nowadays is so-called
> social engineering: asking non-techie users to install or authorize
> something (Active X component or such), and use the fact that they
> have no idea what this is about to get them to think this something is
> legitimate.
>
>>>> You cannot protect against
>>>> that anyway and introducing draconian security measures can only
>>>> cripple legitimate usage cases.

It is exactly the social engineering aspect that I had in mind when I
said that you cannot protect against that anyway.

> Yes, of course security measures must be designed cleverly enough not
> to get into the user's way.

Easier said than done.

>> Things are not that simple.
>>
>> TeXWorks natural audience is the beginner in TeX, and most probably
>> in scripting too.
>> You cannot ask a user  to supervise the script management when he is
>> just learning what -is- a script.
>
> Exactly my sentiment.

I do not want to give an impression that I don't care about security,
beacuse I do. I just don't think that locking down the script/plugin
subsystem of TW (in the way it was discussed in this thread) provides
anything more than a false sense of security. For example one can wrap
a script/plugin into malicious .exe installer (under a disguise of
"user-friendliness") and trick users to execute that. And there goes
the security.

IMO, it is much more important to have in the future some official
place for TW plugins (CTAN?) that users (especially beginners) can
trust rather than to spend our energy on technological measures that
can't protect against socially engineered attacks anyway.

Cheers,

Tomek


More information about the texworks mailing list