hi Svante, I could not find the xpdf upstream developer pages. Your message here: On Wed, 8 Mar 2017, Svante Signell wrote:
And FYI: Quoting from upstream, sent to me yesterday:Regarding security bugs, I try to respond to those as quickly as possible.
gives the impression that there is just one person developing/maintaining xpdf upstream. Feel free to correct my guess by giving us the URL to the xpdf upstream developers' repository. For a package with a Debian usership of thousands: https://qa.debian.org/popcon.php?package=xpdf that deals with an extremely widespread document format that has recently developed the reputation of being actively exploited: http://www.computerworld.com/article/2517774/security0/pdf-exploits-explode--continue-climb-in-2010.html http://www.computerworld.com/article/2493378/desktop-apps/zero-day-pdf-exploit-reportedly-defeats-adobe-reader-sandbox-protection.html the systematic long-term sustainable aspects of modularity and security maintenance would seem to me to require a team of many people, not just one (no matter how well-intentioned and skillful at coding s/he is). Upstream poppler has had 7 different people uploading to git since 1 Jan 2017: https://cgit.freedesktop.org/poppler/poppler/log/ Cheers Boud