On Wed, 2017-03-08 at 08:10 -0500, The Wanderer wrote: > On 2017-03-08 at 07:59, Svante Signell wrote: > > > On Wed, 2017-03-08 at 07:41 -0500, The Wanderer wrote: > > > > > On 2017-03-08 at 00:55, Svante Signell wrote: > > > > I still don't get it. The proposed package _doesn't_ depend on > > > > poppler any more. If you have problems with previous > > > > xpdf+poppler versions up to 3.04-4, remove these from the archive > > > > then! > > > > > > What about all the packages which depend on poppler and _aren't_ > > > xpdf? > > > > I did not propose to remove all libpoppler-based packages. I meant > > the xpdf versions depending on libpoppler. > > Then the objection that Moritz stated remains: it will still be > necessary to 'fix all security issues affecting poppler/xpdf twice > instead of just once', because the code will exist in the archive in two > places: in the xpdf package, and in the library package.
In my opinion this is not the case. As written several times, poppler, a fork of xpdf 3.0 long before 2010 and the current release are to be regarded as different code bases. Take a look at the poppler release history: https://poppler.freedesktop.org/releases.html Version 3.04 is mentioned only for fixing glyph handling in November 2016, while the latest merge was of 3.03 in March 2012. Additionally, most of the 60 bugs on xpdf is due to this diversion. By packaging the _real_ upstream version, 11+ of these (I&N) are closed by my proposed upload. I haven't checked all the (I&N) bugs or any (M&W) bugs yet. > The only ways to avoid this that I can see would be to remove the > libpoppler packages (and thus the packages based on them), or to > demonstrate - to the satisfaction of the security team - that the two > codebases are so far apart that to speak about one single security issue > affecting both is not meaningful. Two codebases should be the correct conclusion, yes. See above. FYI: Upstream is working on a new release, soon to be released. FYI: There was an effort to create xpdf-poppler, see: https://github.com/rbrito/xpdf-poppler. But that project has not had any commits since December 2013, so it could be regarded as dead by now. Thank you for your time :)
