On 2017-03-08 at 07:59, Svante Signell wrote: > On Wed, 2017-03-08 at 07:41 -0500, The Wanderer wrote: > >> On 2017-03-08 at 00:55, Svante Signell wrote: >>> I still don't get it. The proposed package _doesn't_ depend on >>> poppler any more. If you have problems with previous >>> xpdf+poppler versions up to 3.04-4, remove these from the archive >>> then! >> >> What about all the packages which depend on poppler and _aren't_ >> xpdf? > > I did not propose to remove all libpoppler-based packages. I meant > the xpdf versions depending on libpoppler. Then the objection that Moritz stated remains: it will still be necessary to 'fix all security issues affecting poppler/xpdf twice instead of just once', because the code will exist in the archive in two places: in the xpdf package, and in the library package. The only ways to avoid this that I can see would be to remove the libpoppler packages (and thus the packages based on them), or to demonstrate - to the satisfaction of the security team - that the two codebases are so far apart that to speak about one single security issue affecting both is not meaningful. -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw
Attachment:
signature.asc
Description: OpenPGP digital signature