Re: pdf files in upstream tarball and -doc package
> There are two problems with this: Security and
> DFSG-freeness.
>
> I wouldn't put too much weight in the security
> thing. If you don't
> understand postscript or pdf, you won't detect the
> exploit - it doesn't
> matter if it is in the ps/pdf file, or in a \special
> command in the
> LaTeX/Lyx sources. Just as you would not detect a
> possible trojan
> written in C if you package something that compiles
> a *.c file, and you
> hardly know C. Ask yourself: Can you trust upstream?
> Do they provide
> md5sums, or even gpg sigs, for the tarballs? Do
> other people use and
> audit the software?
>
> But you cannot include pdf files for which no source
> is included, or
> only Micro$oft .doc files, in a Debian package: We
> need the source code,
> and pdf, even if not compressed, cannot be taken as
> source code.
>
> This doesn't mean that we have to regenerate the pdf
> file, but we (and
> our users) must be able to do it.
>
> Regards, Frank
Hi,
So if you only have PDF file, you wouldn't include in
the package, is it that? Even when it is the only doc
available and it is free to be modified or
redistributed?
I think it might be a different case with .doc files,
which can be assumed to be the source code of the pdf,
and sometimes can be imported correctly with open
source tools (not always). So you have the source,
even when you might not be able to exactly regenerate
the pdf from it with open source tools.
Greetings,
Miry
______________________________________________
Renovamos el Correo Yahoo!: ¡250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
Reply to: