Re: Looking for contractor

[Tim Starling]

On 29/4/21 4:28 am, David Kastrup wrote:
> Kevin Barry <barrykp@gmail.com> writes:
>
>> Han-wen opined on the merge request he opened for this issue last year
>> that we would probably have to replace our current pdf rendering system
>> (ghostscript) with an alternative (e.g. libcairo). That sounds like a
>> significant change.
>>
>> I would like to hear what other developers think.
> Going through Cairo would be both a significant change and very
> desirable.

If someone who wants to do that work can make a case for it, and the
cost is within the budget, then we could certainly consider it. At
Wikimedia we're not letting LilyPond run Ghostscript anymore, we just
ask for Postscript output and run Ghostscript separately. I don't
really see shelling out to Ghostscript as being a significant problem.

Maybe this is related to Han-Wen's idea having LilyPond manage its own
seccomp filter, which as I said at the time is not something we can
use since we're running LilyPond as a whole inside a restricted
container. LilyPond will not have the privileges required to set up
seccomp filtering. It's also not portable. Han-Wen eventually
abandoned the idea -- trying to make the document not be able to run
arbitrary machine code is the new goal. I think that's a good goal
because it goes to LilyPond's core role as a document converter --
syscall filtering is not its job and is not within the core
competencies of the LilyPond community.

The goal, simply stated, is to make safe mode always be enabled and to
make it actually work as documented.

-- Tim Starling