2:05 p.m.
Hello.
Due to many CVEs and low quality/security of these packages as well as Windows oriented
upstream I'm going to orphan both jbig2dec and mupdf packages in Fedora/EPEL.
Sometimes the build doesn't reach stable branch just because it's deprecated by
new build with new CVE.
Feel free to take them.
--
Pavel
2:19 p.m.
On Tue, May 30, 2017 at 1:05 PM, Pavel Zhukov
<landgraf(a)fedoraproject.org> wrote:
Hello.
Due to many CVEs and low quality/security of these packages as well as Windows oriented
upstream I'm going to orphan both jbig2dec and mupdf packages in Fedora/EPEL.
Sometimes the build doesn't reach stable branch just because it's deprecated by
new build with new CVE.
Feel free to take them.
It sounds more like something to retire instead, at least on Fedora...
9:24 a.m.
On 05/30/2017 01:19 PM, Dridi Boukelmoune wrote:
On Tue, May 30, 2017 at 1:05 PM, Pavel Zhukov
<landgraf(a)fedoraproject.org> wrote:
> Hello.
> Due to many CVEs and low quality/security of these packages as well as Windows
oriented upstream I'm going to orphan both jbig2dec and mupdf packages in
Fedora/EPEL.
> Sometimes the build doesn't reach stable branch just because it's deprecated
by new build with new CVE.
> Feel free to take them.
It sounds more like something to retire instead, at least on Fedora...
At least
mupdf is needed in cups-filters as BuildRequire - cups-filters
uses it in pdftopdf filter, so abandoning it would resolve in more
difficult PDF printing in Fedora. And as I can see jbig2dec is in
BuildRequires for mupdf, I should take it.
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
--
Zdenek Dohnal
Associate Software Engineer
Brno, Purkyňova 99, Czech Republic
RED HAT | TRIED. TESTED. TRUSTED.
Every telecommunications Company in the Fortune Global 500 relies on Red Hat.
Find out why at Trusted | Red Hat
9:32 a.m.
2017-05-31 8:24 GMT+02:00 Zdenek Dohnal <zdohnal(a)redhat.com>:
On 05/30/2017 01:19 PM, Dridi Boukelmoune wrote:
> On Tue, May 30, 2017 at 1:05 PM, Pavel Zhukov
> <landgraf(a)fedoraproject.org> wrote:
>> Hello.
>> Due to many CVEs and low quality/security of these packages as well as Windows
oriented upstream I'm going to orphan both jbig2dec and mupdf packages in
Fedora/EPEL.
>> Sometimes the build doesn't reach stable branch just because it's
deprecated by new build with new CVE.
>> Feel free to take them.
> It sounds more like something to retire instead, at least on Fedora...
At least mupdf is needed in cups-filters as BuildRequire - cups-filters
uses it in pdftopdf filter, so abandoning it would resolve in more
difficult PDF printing in Fedora. And as I can see jbig2dec is in
BuildRequires for mupdf, I should take it.
For what it's worth, I briefly maintained mupdf in Mageia before
deciding to drop it from Cauldron (our development release) for the
same reasons that Pavel mentioned.
If you want to keep mupdf, I would advise to patch away the mujstest
program, which is the one affected by most CVEs against mupdf over the
last couple of years. Without mupdf, you'd be down to patching
security vulnerabilities every 2 months instead of every 2 weeks... :)
Regards,
Rémi
11:45 a.m.
On 05/31/2017 08:32 AM, Rémi Verschelde wrote:
2017-05-31 8:24 GMT+02:00 Zdenek Dohnal <zdohnal(a)redhat.com>:
> On 05/30/2017 01:19 PM, Dridi Boukelmoune wrote:
>> On Tue, May 30, 2017 at 1:05 PM, Pavel Zhukov
>> <landgraf(a)fedoraproject.org> wrote:
>>> Hello.
>>> Due to many CVEs and low quality/security of these packages as well as
Windows oriented upstream I'm going to orphan both jbig2dec and mupdf packages in
Fedora/EPEL.
>>> Sometimes the build doesn't reach stable branch just because it's
deprecated by new build with new CVE.
>>> Feel free to take them.
>> It sounds more like something to retire instead, at least on Fedora...
> At least mupdf is needed in cups-filters as BuildRequire - cups-filters
> uses it in pdftopdf filter, so abandoning it would resolve in more
> difficult PDF printing in Fedora. And as I can see jbig2dec is in
> BuildRequires for mupdf, I should take it.
For what it's worth, I briefly maintained mupdf in Mageia before
deciding to drop it from Cauldron (our development release) for the
same reasons that Pavel mentioned.
If you want to keep mupdf, I would advise to patch away the mujstest
program, which is the one affected by most CVEs against mupdf over the
last couple of years. Without mupdf, you'd be down to patching
security vulnerabilities every 2 months instead of every 2 weeks... :)
I disabled
mupdf in cups-filters - problem solved. We can retire it at
least from the view of cups-filters.
Regards,
Rémi
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
--
Zdenek Dohnal
Associate Software Engineer
Brno, Purkyňova 99, Czech Republic
RED HAT | TRIED. TESTED. TRUSTED.
Every telecommunications Company in the Fortune Global 500 relies on Red Hat.
Find out why at Trusted | Red Hat
2508
days inactive
2520
days old
5 comments
5 participants
participants (5)
-
Dridi Boukelmoune -
Pavel Zhukov -
Raphael Groner -
Rémi Verschelde -
Zdenek Dohnal