Re: My pending RFSs (xpdf, ushare, protoaculous, gordon, checksec)

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Fri, 16 Jul 2010 09:34:21 +0900, Osamu Aoki wrote:
> On Wed, Jul 14, 2010 at 11:02:21PM -0400, Michael Gilbert wrote:
> > Hi,
> > 
> > I have the following packages currently prepared and am waiting for
> > review by interested sponsors.  Some of these have been pending since
> > December 2009).
> > 
> > xpdf (http://mentors.debian.net/debian/pool/main/x/xpdf):
> > - I adopted this package a few months ago since it needed a
> >   security-minded maintainer, and I have made extensive changes with
> >   respect to forward security supportability (including making use of
> >   poppler) and some useful minor changes as well. See:
> >   http://lists.debian.org/debian-mentors/2010/06/msg00030.html
> 
> It said:
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/x/xpdf
> - Source repository: deb-src http://mentors.debian.net/debian unstable
>   main contrib non-free
> - dget http://mentors.debian.net/debian/pool/main/x/xpdf/xpdf_3.02-3.dsc
> 
> But I only see:
> http://mentors.debian.net/debian/pool/main/x/xpdf/xpdf_3.02-8.dsc
> 
> It looks very nice.  I have a question.
> 
> I do not see security patches on the web in your patches:
> xpdf-3.02pl1.patch: a patch for a security hole (1050 bytes)
> xpdf-3.02pl2.patch: a patch for security holes (20843 bytes)
> xpdf-3.02pl3.patch: a patch for security holes (30727 bytes)
> xpdf-3.02pl4.patch: a patch for security holes (6982 bytes)
> 
> Is this because you are using poppler?

yes. the vulnerabilities exist only in the xpdf codebase that became
poppler. i no longer build any of that affected code (dynamically
linking to it in poppler instead where it is already patched), so there
is no need to retain those patches.

mike