Am Fri, 2 Nov 2018 12:53:02 +0100 schrieb luigi scarso:
You could try https://github.com/khaledhosny/luahbtex. Khaled is trying to marry luatex + harfbuzz there
sure, it's hardcoded , the final binary is quite heavy ... Anyway, I am talking of dll/so plugin and tool, it's more on the track of https://www.guitex.org/home/images/ArsTeXnica/AT023/luaffi-article.pdf
Well we (some of the latex team) tried to test this as we have quite an interest to have an option to use harfbuzz for some fonts but not every code needed seems to be available publicitly.
it's complex thing... a binding depends on lua API and
On Fri, Nov 2, 2018 at 1:05 PM Ulrike Fischer
is not really sensible for a user interface.
it's the context ml, enable system commands is default (and we are still here :-) . Anyway ConteXt has a sandbox too. ) But yes, the --safer disable easily exploitable lua commands --[no-]shell-escape disable/enable system commands --shell-restricted restrict system commands to a list of commands given in texmf.cnf are part of the picture. Hans and I have to discuss this point. Just to say: on my linux box, xetex from the official deb package has not hb hardcoded: # ldd `which xetex ` linux-vdso.so.1 (0x00007ffcb26d2000) libharfbuzz-icu.so.0 => /usr/lib/x86_64-linux-gnu/libharfbuzz-icu.so.0 (0x00007f5fe89c5000) libharfbuzz.so.0 => /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 (0x00007f5fe8727000) Even if I set all the paranoia flags, xetex will load these shared objects. With a luaffi things doesn't change, the point is that luatex will load the libs only when/if the user (script) will to do. Of course, the xetex from texlive is statically compiled ... well almost. I still see freetype as shared object. Anyway, as I have said I am now focused on this issue now because I would like to complete/fix it for the next texlive. (to be honest: I think that all these safer shell-* switches are a bit outdated nowadays, but they are there and I don't think they will disappear . ) -- luigi