diff --git a/README.md b/README.md index 1239d17d5f..e7b04072cd 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,11 @@ Verso differs in that: gracefully for long documents. - It ships with a full **project history** and version-restore workflow. +If you only need Typst and want a lighter, Typst-focused alternative, have a look +at **[Collabst](https://github.com/herluf-ba/collabst)** — an open-source, +self-hosted collaborative Typst editor that is independent of the Overleaf +codebase and shows a lot of promise. + --- ## Features @@ -145,6 +150,24 @@ Refinements to the Typst editor and the format badge system: --- +## Security model — trusted environments only + +Verso is designed for **closed groups of trusted users** (a lab, a class, a small +team). All three compilers can execute arbitrary code on the server: + +- LaTeX with shell-escape enabled can run system commands. +- Quarto Python cells execute Python code directly. +- Typst's scripting layer is sandboxed by design, but runs server-side. + +There is **no per-project sandbox or resource isolation** beyond what the +operating system provides. Exposing Verso to the public internet with +open registration is not recommended. If you need to host a collaborative +LaTeX/Typst editor for untrusted users or at scale, look at +[Overleaf's non-Community offerings](https://www.overleaf.com/for/enterprises), +which include proper sandboxing and enterprise access controls. + +--- + ## Quick start ### With Docker @@ -235,11 +258,20 @@ Verso is not affiliated with Overleaf Ltd. --- -## Contributing +## Supporting the ecosystem -Open an issue or pull request on the -[Verso repository](https://git.alocoq.fr/alois/verso). The upstream Overleaf -contribution guidelines are in [CONTRIBUTING.md](CONTRIBUTING.md). +Verso is not accepting contributions or donations at this time. If you find it +useful and want to support the broader ecosystem it builds on: + +- **Support Overleaf** — Overleaf is actively working on + [Typst support](https://www.overleaf.com/blog/overleaf-and-typst) and + RevealJS presentation features. The best way to support their work is to use + or subscribe to [Overleaf](https://www.overleaf.com) and encourage your + institution to do the same. +- **Support Typst** — [Typst GmbH](https://typst.app) is the company behind the + Typst compiler. Using Typst.app or sponsoring the + [Typst project on GitHub](https://github.com/typst/typst) helps sustain the + language itself. ---