[tex-k] secure mode of dvips should be default

janl@linpro.no janl@linpro.no
Mon, 04 Jun 2001 10:43:07 +0200

Sebastian Rahtz <sebastian.rahtz@computing-services.oxford.ac.uk> tastet:
> janl@linpro.no writes:
>  > would work.  It would very much fit the old Unix philosophy of small
>  > tools working together. 
> It was/is a good philosophy, but it assumed that people were nice.  As
> with so many other things, the minority of nasty people in the world
> spoil it for everyone else.

No it didn't.  C assumes that people are nice, and programmers omni-
scient.  The demans on our alertness with regard to what data we pass
around to libraries is no less when we use a library than an external
executable.   Has the library been audited, was it written assuming
that the caller does all the needed sanity checks? What _are_ the
sanity checks?  

To be sure the system and popen calls have a notorious history, but it
_is_ well known what we have to do to not make them holey.  The R modes
just discussed along with giving dvips/xdvi etc. extendable knowledge
about file-formats should be quite good enough.