Re: CamlPDF update
Le 07/10/2013 17:57, John Whitington a écrit :
> Thanks for your hard work in packaging CamlPDF for Debian thus far.
>
> I'm just writing to let you know that CamlPDF:
>
> a) Is now under LGPL, so in theory can move out of non-free into main
> debian
> b) Has been updated to version 1.7
>
> Here's the new source:
>
> https://github.com/johnwhitington/camlpdf
>
> Let me know if there's anything I can do to help! The build system has
> been improved, and there are now no dependencies.
I have updated the Debian package in git to version 1.7.1. However, a
few things are worrysome:
* You embed miniz.c, which is not the latest version. What are your
plans concerning its updates? Potential security fixes?
* You embed a modified camlzip that uses miniz.c. Same questions.
* In pdfafmdata.ml, there is embedded data that is copyright Adobe with
no clear license. I could not find its origin.
Embedding third-party stuff like that is bad practice. Concerning zip
stuff, it would be much better to provide a way to use the system zlib
and camlzip. For AFM data, please document where you get them from, and
what is its license.
Keep in mind that it is usually better to depend on external stuff, so
that these dependencies can be updated independently. Especially for C
code, where security vulnerabilities are often found and fixed.
Cheers,
--
Stéphane
Reply to: