When to use `–no-shell-escape`

Question

I saw an introduction of -shell-escape here: https://tex.stackexchange.com/a/598819/180617

I know that if I want to use a package like minted or tkz-fct, I have to use pdflatex --shell-escape main to compile main.tex. Because they call pygments or Gnuplot while compiling.

In that introduction, I realized that there exists a restrict shell escape, *latex compiles .tex with this mode.

The default setting is usually "Restricted Shell escape" this allows a small number of programs to be called by default (in a restricted form that does not allow shell redirection) these are (in a default TeX Live 2021 configuration)

bibtex

bibtex8

extractbb

gregorio

kpsewhich

makeindex

repstopdf

r-mpost

texosquery-jre8

My first question is when will pdflatex call something like bibtex or makeindex while compiling? Because in my usage, I'll run bibtex main after pdflatex main, not in pdflatex main.

My second question is when should I use --no-shell-escape?

Answer 1

The imakeidx package for example will call makindex without you needing to call it explicitly. graphics/graphicx will call repstopdf in the background if including EPS files, and will call extractbb if including PNG and other bitmap formats to get the image size.

When to turn it off is a personal choice, you may want to have a behaviour closer to the texbook, where \write18 doesn't mean run system commands, or you may want the additional security and not trust that the commands allowed in the restricted shell escape list are in fact safe.

A lot of thought goes in to that list ensuring the programs don't allow elevated permissions, eg repstopdf is a custom configuration of epstopdf with any features allowing ghostscript to run external code disabled. So most people, most of the time, use the default restricted shell escape setting.