On 2005-03-30 14:00:38 +0200, Frank Küster wrote:
during the last months security support for software containing xpdf code was a nightmare - not only that there were many security issues discovered, moreover everybody used a different patch, it was unclear to what extent older versions were affected, and so forth. This was also a problem for us, the teTeX maintainer in Debian, which currently has three versions of pdftex with three different versions of the xpdf code.
I know; we even got contacted about some patches, which we didn't need to use -- a crash of pdfTeX is not really a security problem. :-)
What would you think about creating a shared library, "libxpdf", and using that for pdftex, either linked dynamically (for Linux/Unix distributions) or statically (for TeX-live and friends)?
Much. This actually was discussed at EuroTeX2005, but with a different focus: Having the xpdf functions for parsing pdf available for scripting languages like python and ruby.
There is already such a library, libpoppler, a fork of the xpdf code (http://poppler.freedesktop.org/). However, I do not know whether the xpdf author, Derek B. Noonburg, is generally unwilling to create a shared library, or whether people simply didn't ask him. Personally I would prefer to have as little a number of versions of the same code, and thus to get a shared library from xpdf proper.
poppler has a very different focus: rendering. We only need the parser of xpdf.
If you agree, I would be oblidged if one of you would contact Derek Noonburg (derekn@foolabs.com) and ask him. He seems to be a little unresponsive at times, and has not answered a similar question from the maintainer of the xpdf package in Debian for a couple of weeks now. Maybe we can convince him that this is a good idea if he is approached from different sides.
I'll do this eventually, but don't expect anything from me soon. Most likely not before Sarge. :-)
Alternatively, if he is unwilling to make this change, do you think using libpoppler would be feasible?
See above. I'll look into it. Best regards Martin -- http://www.tm.oneiros.de