Dear Svante, On Sat, Mar 04, 2017 at 06:43:35PM +0100, Svante Signell wrote: > This is the big problem, the two code bases are diverging. See a good > description about the status of xpdf from December 2013: > https://www.agwa.name/blog/post/the_sorry_state_of_xpdf_in_debian > > After my asking around to poppler and upstream Glyph & Cog, LLC, in the > name of Derek B. Noonburg, created a new upstream release, 3.04. See > the CHANGES file (changelog in the debian package) in the upstream > tarball for the latest fixes. > > However, Debian chose to continue trying to catch up with the patches > to libpoppler, in my opinion a very bad choice. The current state is > really bad, most of the bugs are due to the use of the libpoppler > backend. > [...] > The solution I've chosen is to remove the poppler backend completely. > That fixes 11+ important and normal bugs (and probably many minor and > wishlist ones too, I haven't looked into that yet) > > If somebody wants a poppler-based xpdf, it should be renamed to > something else, e.g. ppdf, and maybe even be integrated in the poppler > upstream code. Trying to merge xpdf frontend with the poppler backend > is just a loosing battle. Thank you for the further information, and especially for the link to Andrew Ayer's blog post. I agree with you that a poppler-based xpdf is not maintainable until and unless xpdf upstream switches to poppler. However, it is not clear to me why we shouldn't just remove xpdf from Debian. The main reason that Debian insists on using shared libraries instead of bundled copies of code is because it permits faster responses to security problems uncovered in those shared libraries. A security bug in poppler would now need to be fixed in xpdf's copy and in the main library. This might not be a big deal if xpdf was a package that read, say, text files. However, PDFs are complex and are increasingly used as vectors for malware. PDF readers are becoming an attack surface comparable to web browsers, as more and more people use PDFs for more and more of their work. So we need to ensure that Debian is in a strong position to tackle any security issues that are uncovered. Otherwise, we are doing a real disservice to our users. It seems to me that one of the most sensible things we could do to protect Debian users from malicious PDFs is to remove xpdf from the Debian mirrors. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature