Pretesting TeX Live 2010

The first testing builds of TeX Live 2010 are now available, which you can also read about in the TeXblog entry. I downloaded it a few days ago, currently just to my Mac (Windows testing on my system at work starts next week). There are a few changes, some of which were planned for TeX Live 2009 and did not make it. The highlights for me

  • Restricted \write18 support is back. I’ve written about the issues with this before, but as I understand it these are now solved. The idea of this support is that EPS graphics can be turned into PDF graphics automatically, meaning that pdfLaTeX is much easier to use for end users with mainly EPS graphics available.
  • The default PDF output is level 1.5, which means that more compression of the output is available. The amount of compression depends on the type of output (files with lots of hyperlinks seem to show the most dramatic results). I’ve been using PDF 1.5 for a while with no issues, so I hope that this is applicable to most users.
  • The is a Unicode version of BibTeX included: BibTeXU. I can’t see any details of where this is coming from or the exact nature of the support: I hope to gain enlightenment at some stage. I’ll certainly be testing it.

As I’m currently testing on my Mac, I’ve installed the 64-bit binaries (these still have to be installed in addition to MacTeX at the moment). I’m seeing slightly better performance with the 64 bit binaries than the 32 bit ones, but not by much. On Windows I’m currently limited to 32 bit, so there I’ll have nothing to worry about!

So far, I’ve not had any major issues. TeX Live is very much evolution, not revolution, so that is not too much of a surprise. The team have done a good job, as usual, and I hope that others will brave the testing status of this release to help find any bugs before it’s unleashed on the TeX world at large.

TeX and security

Security in computer programs is always an issue, with the balance between ease of use and security never being a simple black and white line. There’s a very interesting paper, being presented at an upcoming conference, about TeX security issues. This is particularly significant to MiKTeX users, as it’s led to a change in how MiKTeX implements certain features.

One of the well-known security questions with TeX is whether to enable \write18, and as a result this is off by default in TeX Live and MiKTeX. Another area that is of obvious concern is the \openout primitive, which allows writing a new file and could therefore be used for undesirable purposes. Of course, this functionality is also important: writing to files is how LaTeX manages a whole range of automated cross-referencing. So there is a balance to be struck: we need \openout, but not at any cost.

The TeX Live team have taken the attitude that \openout should be able to write within the current directory structure but not outside of it. This can be seen with a couple of very similar plain TeX test files. If you try

\newwrite\mywrite
\immediate\openout\mywrite test/test.xxx
\bye

then everything will be fine and the test file will be created. On the other hand

\newwrite\mywrite
\immediate\openout\mywrite ../test.xxx
\bye

will raise an error. The behaviour with MiKTeX was to allow both (and also absolute paths, etc.). That has now been altered, so that MiKTeX behaves in the same way as TeX Live (at least, that’s what it looks like in my tests).

Reading the MiKTeX lists, the new behaviour is causing issues because LaTeX’s \include relies on \openout. Quite a lot of MiKTeX users have been doing things like:

\include{C:/Users/<user>/My Documents/Chapters/chapter1.tex}

or

\include{../Chapters/chapter1.tex}

which used to work and now does not. There is a setting which enables the old behaviour, but it’s not really to be recommended, I think. So users will have to rearrange their input a bit to reflect the new more secure approach.

There are some other interesting points in the paper on TeX security. One is that making a truly secure LaTeX implementation (to use as a web service) is basically impossible. The MathTran site gets mentioned as the most secure TeX web service: it uses a specially hardened version of plain TeX, with no access to things like \csname, \catcode and so on to make it secure. For LaTeX, that is probably not possible (at least with LaTeX2e). Worth reading, but for those of us who just use TeX on our own computers not quite so immediately relevant.