Bug#856652: RFS: xpdf/3.0.4.real-4

[Svante Signell <svante.signell@gmail.com>]

On Sat, 2017-03-04 at 11:49 -0700, Sean Whitton wrote:
> Dear Svante,
> 
> I agree with you that a poppler-based xpdf is not maintainable until
> and unless xpdf upstream switches to poppler.  However, it is not
> clear to me why we shouldn't just remove xpdf from Debian.  The main
> reason that Debian insists on using shared libraries instead of
> bundled copies of code is because it permits faster responses to
> security problems uncovered in those shared libraries.  A security
> bug in poppler would now need to be fixed in xpdf's copy and in the
> main library.

Maybe I don't understand. The version of xpdf I'm proposing is no
longer dependent on poppler. So why are you talking about poppler?
Which are the security issues of upstream xpdf? I'd really like to
know, and if possible forward these problems to upstream:Glyph & Cog,
LLC. Additionally, which are the poppler-based security issues? 

> This might not be a big deal if xpdf was a package that read, say,
> text files.  However, PDFs are complex and are increasingly used as
> vectors for malware.  PDF readers are becoming an attack surface
> comparable to web browsers, as more and more people use PDFs for more
> and more of their work.  So we need to ensure that Debian is in a
> strong position to tackle any security issues that are
> uncovered.  Otherwise, we are doing a real disservice to our
> users.  It seems to me that one of the most sensible things we could
> do to protect Debian users from malicious PDFs is to remove xpdf from
> the Debian mirrors.

See above. Which version of xpdf are you referring to, the poppler-
based one, or the upstream one?

And BTW: poppler upstream seems to be freedesktop.org, i.e. gnome. Who
can trust gnome nowadays, especially people preferring systemd-free
software?