Re: Looking for contractor

[Kevin Barry]

Hi Tim,

I wish I could volunteer for this, but I have a full-time job, and I'm
not really knowledgable enough to do it without help. But I will help if
I can.

Han-wen opined on the merge request he opened for this issue last year
that we would probably have to replace our current pdf rendering system
(ghostscript) with an alternative (e.g. libcairo). That sounds like a
significant change.

I would like to hear what other developers think.

Kevin

On Tue, Apr 27, 2021 at 09:38:58AM +1000, Tim Starling wrote:
> I'm looking for a developer who would like take on a contract to
> improve LilyPond security.
> 
> The work would be as discussed last October on this mailing list:
> https://lists.gnu.org/archive/html/lilypond-devel/2020-10/msg00096.html
> 
> My summary is as follows:
> 
> * Make all parser-related modules safe. In ly_make_module(), always
> use a safe module (make-safe-lilypond-module or make-safe-module).
> Remove the reference to Guile_user::the_root_module.
> * Work through the consequences in order to allow typical real-world
> input files to be rendered as before, without errors.
> * Ensure that the documentation and regression tests can still be built.
> * Propose code changes so as to update the version to 3.0.0.
> 
> Please tell me if I'm missing something in this summary or if there is
> something you would like to add. The scope should be sufficient such
> that the changes can be accepted and released. We don't want to leave
> it half-done.
> 
> I am looking for someone who is familiar with LilyPond and has
> previously submitted code which I can review.
> 
> Please let me know if you are interested.
> 
> --
> Tim Starling
> Principal Software Architect
> Wikimedia Foundation
>