[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pdf files in upstream tarball and -doc package

Miriam Ruiz <little_miry@yahoo.es> schrieb:

>  --- Justin Pryzby
> <justinpryzby@users.sourceforge.net> escribió: 
>> PDF can be trojaned, so you should at least
>> *provide* a way to
>> generate them from their sources, even if that
>> makefile rule is not
>> called by default, and the additional
>> build-dependencies are just a
>> note in debian/rules.
> In case only PDF files were provided, or PDF provided
> came from .doc files or something like that, is it OK
> to include them? 

There are two problems with this: Security and DFSG-freeness. 

I wouldn't put too much weight in the security thing. If you don't
understand postscript or pdf, you won't detect the exploit - it doesn't
matter if it is in the ps/pdf file, or in a \special command in the
LaTeX/Lyx sources. Just as you would not detect a possible trojan
written in C if you package something that compiles a *.c file, and you
hardly know C. Ask yourself: Can you trust upstream? Do they provide
md5sums, or even gpg sigs, for the tarballs? Do other people use and
audit the software?

But you cannot include pdf files for which no source is included, or
only Micro$oft .doc files, in a Debian package: We need the source code,
and pdf, even if not compressed, cannot be taken as source code.

This doesn't mean that we have to regenerate the pdf file, but we (and
our users) must be able to do it.

Regards, Frank

Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Reply to: