On 2017-03-08 at 00:55, Svante Signell wrote: > On Tue, 2017-03-07 at 22:43 +0100, Moritz Muehlenhoff wrote: > >> On Tue, Mar 07, 2017 at 08:17:08AM +0100, Svante Signell wrote: >> >>> I don't see where your concerns regarding security are, please >>> explain. >> >> Your package can't enter the archive since this would require to >> fix all security issues in poppler/xpdf twice instead of just once >> in the library package. > > I still don't get it. The proposed package _doesn't_ depend on > poppler any more. If you have problems with previous xpdf+poppler > versions up to 3.04-4, remove these from the archive then! What about all the packages which depend on poppler and _aren't_ xpdf? There are enough *poppler* packages that it's not entirely trivial to come up with a list, but to pick libpoppler64 as an example: $ apt-cache rdepends libpoppler64 | grep -v poppler Reverse Depends: xpdf texworks texlive-binaries boomaga pdf2htmlex pdf2djvu libreoffice-pdfimport pdftoipe inkscape libgdcm-tools libgdal20 gambas3-gb-pdf extractpdfmark elpa-pdf-tools-server cups-filters-core-drivers cups-filters karbon and reviewing those packages with 'apt-cache show' confirms that all of these are Depends, not Recommends. Do we really want to remove all of these packages from the archive, just to be able to track xpdf upstream directly (or even to retain xpdf)? For some of them, whose PDF support isn't integral to the package's functionality, it might be possible to just rebuild without the poppler dependency (with the presumably-undesirable side effect of losing the PDF support) - but for others, such as the PDF-converter tools, that almost certainly isn't an option. For the latter, the only solution I see that doesn't involve retaining poppler in the archive would be to include a copy of the relevant code in the depending package itself - and, according to my understanding from earlier in this thread, that is exactly what libpoppler was created to avoid. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature