On Fri, 16 Jul 2010 09:34:21 +0900, Osamu Aoki wrote: > On Wed, Jul 14, 2010 at 11:02:21PM -0400, Michael Gilbert wrote: > > Hi, > > > > I have the following packages currently prepared and am waiting for > > review by interested sponsors. Some of these have been pending since > > December 2009). > > > > xpdf (http://mentors.debian.net/debian/pool/main/x/xpdf): > > - I adopted this package a few months ago since it needed a > > security-minded maintainer, and I have made extensive changes with > > respect to forward security supportability (including making use of > > poppler) and some useful minor changes as well. See: > > http://lists.debian.org/debian-mentors/2010/06/msg00030.html > > It said: > The package can be found on mentors.debian.net: > - URL: http://mentors.debian.net/debian/pool/main/x/xpdf > - Source repository: deb-src http://mentors.debian.net/debian unstable > main contrib non-free > - dget http://mentors.debian.net/debian/pool/main/x/xpdf/xpdf_3.02-3.dsc > > But I only see: > http://mentors.debian.net/debian/pool/main/x/xpdf/xpdf_3.02-8.dsc > > It looks very nice. I have a question. > > I do not see security patches on the web in your patches: > xpdf-3.02pl1.patch: a patch for a security hole (1050 bytes) > xpdf-3.02pl2.patch: a patch for security holes (20843 bytes) > xpdf-3.02pl3.patch: a patch for security holes (30727 bytes) > xpdf-3.02pl4.patch: a patch for security holes (6982 bytes) > > Is this because you are using poppler?
yes. the vulnerabilities exist only in the xpdf codebase that became poppler. i no longer build any of that affected code (dynamically linking to it in poppler instead where it is already patched), so there is no need to retain those patches. mike -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100716121014.f3efa242.michael.s.gilb...@gmail.com
