Re: RFS: xpdf (updated package)

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Sun, 7 Feb 2010 19:19:37 +0100 Nico Golde wrote:

> Hey,
> * Michael Gilbert [2010-02-07 18:22]:
> > I have prepared an updated package for xpdf that fixes quite a few
> > security issues (and a couple cosmetic ones as well).  The package is
> > available at [0].  Note that I've built updated etch and lenny packages
> > there as well, which I am getting sponsorship from the security team.
> > They can be ignored.
> > 
> > Would anyone be willing to sponsor this upload?
> 
> Please split the security patches into separated files for each CVE id. 
> Otherwise it's impossible to check whether you fixed all of them or not.

Hi,

If the upstream patch is split up, I think it will actually make it a
lot more difficult to verify my work.  The upstream patch [0],[1],
lumps all of these CVEs into one file. Note that reference [1] is linked
from all of the mitre CVE pages as the patch for all of these issues.

If splitting up the upstream patch is the right thing to do, then I
will certainly do that, but it seems a bit like busy work, and I think
it actually makes your work harder.  Please advise.

Thanks,
Mike

[0] http://www.foolabs.com/xpdf/download.html
[1] ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch