Secure testing team - Oct 2007 - Bits from the Testing Security team

On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch
wrote:
> Embedded code copies
> --------------------
> 
> There are a number of packages including source code from external
> libraries, for example poppler is included in xpdf, kpdf and others.  To
FWIW, that''s true but not the genealogy of the situation. Xpdf is the 
original source of the PDF processing code which is in kpdf and the old 
gpdf. The poppler guys took it to make the shared library.

Xpdf seems to continue to lead poppler in PDF processing ability so I
suspect poppler''s authors continue to merge in changes. Unfortunately 
Xpdf''s author (upstream) has not been interested in providing a shared 
library which would have made libpoppler obselete. (There are requests
for it in our BTS.)


So you are right that similar code is embedded in the library and in
Xpdf. I offer this note of explanation because suggesting that Xpdf
embeds code from poppler is an insult to Xpdf''s upstream (which I know
you did not intend).

thanks,
Hamish
-- 
Hamish Moffatt VK3SB <hamish at debian.org> <hamish at cloud.net.au>

On Mon, Oct 15, 2007 at 08:41:09AM +1000, Hamish Moffatt
wrote:
> On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> > Embedded code copies
> > --------------------
> > 
> > There are a number of packages including source code from external
> > libraries, for example poppler is included in xpdf, kpdf and others. 
To
> 
> FWIW, that''s true but not the genealogy of the situation. Xpdf is
the
> original source of the PDF processing code which is in kpdf and the old 
> gpdf. The poppler guys took it to make the shared library.
> 
> Xpdf seems to continue to lead poppler in PDF processing ability so I
> suspect poppler''s authors continue to merge in changes.
Unfortunately
> Xpdf''s author (upstream) has not been interested in providing a
shared
> library which would have made libpoppler obselete. (There are requests
> for it in our BTS.)
> 
> So you are right that similar code is embedded in the library and in
> Xpdf. I offer this note of explanation because suggesting that Xpdf
> embeds code from poppler is an insult to Xpdf''s upstream (which I
know
> you did not intend).
xpdf security updates are a traumatic experience, and I''d like to leave
them behind as far as possible.

Can we please cherry-pick all xpdf improvements into poppler 4-5 months
prior to Lenny release and link xpdf against poppler?
IIRC Ubuntu is doing this for some time now, CCing Martin Pitt.

Cheers,
        Moritz

Hi,

Moritz Muehlenhoff [2007-10-15 19:57 +0200]:
> Can we please cherry-pick all xpdf improvements into poppler 4-5 months
> prior to Lenny release and link xpdf against poppler?
> IIRC Ubuntu is doing this for some time now, CCing Martin Pitt.
Oh, you mean [1]? I did that in a bored hour literally years ago, but
it has never been picked up by any distro and packaged properly (not
by Ubuntu either). I haven''t looked into this again for ages, but I
think porting the current xpdf UI to poppler would be fairly easy,
too. For that to be sustainable, though, it shuold be done in a better
way with #ifdefs, etc., so that upstream might accept it.

Pitti

[1] http://people.ubuntu.com/~pitti/packages/xpdf-poppler-3.0.1.tar.gz

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071016/2ca5d826/attachment.pgp

Hi,

On Tue, Oct 16, 2007 at 01:08:19AM +0200, Martin Pitt
wrote:
> Moritz Muehlenhoff [2007-10-15 19:57 +0200]:
> > Can we please cherry-pick all xpdf improvements into poppler 4-5
months
> > prior to Lenny release and link xpdf against poppler?
> > IIRC Ubuntu is doing this for some time now, CCing Martin Pitt.
> 
> Oh, you mean [1]? I did that in a bored hour literally years ago, but
> it has never been picked up by any distro and packaged properly (not
> by Ubuntu either). I haven''t looked into this again for ages, but
I
> think porting the current xpdf UI to poppler would be fairly easy,
> too. For that to be sustainable, though, it shuold be done in a better
> way with #ifdefs, etc., so that upstream might accept it.
I can''t imagine that upstream would ever be interested in linking
against a library which is a fork of his own code, and an older/inferior
version of his code at that.


Hamish
-- 
Hamish Moffatt VK3SB <hamish at debian.org> <hamish at cloud.net.au>