[Secure-testing-team] Bits from the Testing Security team
jmm at inutil.org
Mon Oct 15 17:57:28 UTC 2007
On Mon, Oct 15, 2007 at 08:41:09AM +1000, Hamish Moffatt wrote:
> On Sun, Oct 14, 2007 at 11:38:35PM +0200, Stefan Fritsch wrote:
> > Embedded code copies
> > --------------------
> > There are a number of packages including source code from external
> > libraries, for example poppler is included in xpdf, kpdf and others. To
> FWIW, that's true but not the genealogy of the situation. Xpdf is the
> original source of the PDF processing code which is in kpdf and the old
> gpdf. The poppler guys took it to make the shared library.
> Xpdf seems to continue to lead poppler in PDF processing ability so I
> suspect poppler's authors continue to merge in changes. Unfortunately
> Xpdf's author (upstream) has not been interested in providing a shared
> library which would have made libpoppler obselete. (There are requests
> for it in our BTS.)
> So you are right that similar code is embedded in the library and in
> Xpdf. I offer this note of explanation because suggesting that Xpdf
> embeds code from poppler is an insult to Xpdf's upstream (which I know
> you did not intend).
xpdf security updates are a traumatic experience, and I'd like to leave
them behind as far as possible.
Can we please cherry-pick all xpdf improvements into poppler 4-5 months
prior to Lenny release and link xpdf against poppler?
IIRC Ubuntu is doing this for some time now, CCing Martin Pitt.
More information about the Secure-testing-team