Is it safe to run Tectonic on arbitrary input?

Pretty much what title says. Obviously I’d be using --untrused, but I’m wondering whether Tectonic is in a state where this is probably fine or if it is safer to stick with a different LaTeX “compiler”.

I’ll be running these under a container (probably Docker), but since Tectonic doesn’t come with all LaTeX packages* I’d need to allow an internet connection in the container, while with different compilers I could just include a full TeXLive install in the container.

(*to my knowledge—please let me know if there is a way to tell Tectonic to cache all available packages as that would be my preferred solution)

Define “safe”. If you run without --untrusted I’d say it is unsafe according to the documentation. [Edit] Misread, of course if you run with the flag you’re at least not running arbitrary system programs.

But LaTeX is Turing-complete isn’t it, so using any LaTeX package sounds technically unsafe to me! Not saying it would be easy to write a LaTeX package to guess your bank account, but who knows.

Considering that it will be containerized with no access to the host machine (other than internet access since Tectonic needs it for getting packages, but this is to say that I’m not worried about leaking private keys or other file contents); pretty much the only potential issue I can think of is some input .tex file causing arbitrary network requests, and I’m wondering whether Tectonic is at a point in development where it is highly unlikely that such security issues exist.

If that’s your concern, and you cannot or don’t want to shut off network connectivity entirely, you should absolutely be using Tectonic and not something else, because that’s one of the main points of Tectonic: it has a safe mode at all, which means afaik it will block ‘malicious’ (e.g. needing -shell-escape, I guess) packages if they are downloaded (automatically).

Yes it’s true that texlive-full does not need an internet connection, but you have just to take a little look at the tons of executables and scripts provided with TeX Live which can execute whatever they want on the system, to know that unless you don’t have a network connection at all that’s pretty out of control.

The safe mode is with --untrusted, right?

If I were using regular TeXLive I definitely would disable internet through Docker (the only reason I’m even considering Tectonic with its requirement to be connected to the internet is that it has --untrusted); if someone figures out a way to escape/bypass Docker containerization then they’ll definitely have much bigger targets than I.