#1003977 cwltool: privacy leak with option --print-doc

#1003977#5
Date:
2022-01-18 20:48:01 UTC
From:
To:
Web pages produced with `cwltool --print-doc` contains links to only
resources, revealing when users render the document in a regular web
browser - or fails to produce intended layout if rendering while offline.

For inspiration, the tool pandoc by default (as packaged in Debian,
upstream defaults differ) links against local system-shared resources,
with an option for each resource to instead link to an online instance
of the user's own choice.

 - Jonas
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmHnJ38ACgkQLHwxRsGg
ASHGwhAAh1ZBbK8+eImp+ezPzucf0dbtYtHJJAezZsNo+EcQQY7bE+p8JVDIzMBV
BFtUUPm1qbPIDH1wifMB6V/algzeuZRdoQn9sAr3nB8c5ecEAToVDdNQ0ZwPC126
dX+wunE0T2zKhrIfcQ2V93WCQdU2M/yw0qSvA7uyOypowJvOukTIrUC6/vyXM6A+
+L31oAsrE0QCfV9UO1mhYwJC8+K+6n3D2bCbnpWDNJ/xufglofhJmKRM7erw5Izr
L5Yeqi9Nl8G9UDffl4CGlMtSgqAlJzR29OdEkFMPT7rtPWB/ecOdM5NJn4djw4d6
64lFQKWEwi70kwB/oyp+ro8FDcGPkamZ6NXyOPEJFiV29M7Crvd8tco4Ih3rdjDd
Aka9Y1FUhTR2g7M4mn8kvNR6LDZFf/T0NvdMxaqYfgra72q1nPHnwMB1ephM+LP2
4C0Tbx3NiPGkPwLu/V7l7C7vOWDyth7DcE6b87pk4LWrGZxlf6+qGQTfRxdjDi6V
bpAvWMDxRJIeModFU3Dhwz1CQUltXI0111dw5Hcsb84Cefcr5ujvMLLjbuT7Dn8l
HPPtNFEL/6WvNmA3IMBu5JHX3niChldpww86Vs1hTOXqEXjB4Zucl7yAlkfoAMSK
5aK9/+wGrPp0ZkuaM1luL7W8HeRW6BL3g1EDLAcXRk2XKfZbqtE=
=Ls8d
-----END PGP SIGNATURE-----

#1003977#10
Date:
2022-01-19 11:11:00 UTC
From:
To:
On Tue, 18 Jan 2022 21:48:01 +0100 Jonas Smedegaard <dr@jones.dk> wrote:

 > Package: cwltool
 > Version: 3.1.20211104071347-3
 > Severity: important
 >


I think you mean `schema-salad-tool --print-doc`, yes? Agreed, this is
not great.

I opened an issue about this upstream (where I am also the maintainer).
A pull request to fix this would be very welcome!