Miriam Ruiz <[EMAIL PROTECTED]> schrieb: > --- Justin Pryzby > <[EMAIL PROTECTED]> escribi�: > >> PDF can be trojaned, so you should at least >> *provide* a way to >> generate them from their sources, even if that >> makefile rule is not >> called by default, and the additional >> build-dependencies are just a >> note in debian/rules. > > In case only PDF files were provided, or PDF provided > came from .doc files or something like that, is it OK > to include them?
There are two problems with this: Security and DFSG-freeness. I wouldn't put too much weight in the security thing. If you don't understand postscript or pdf, you won't detect the exploit - it doesn't matter if it is in the ps/pdf file, or in a \special command in the LaTeX/Lyx sources. Just as you would not detect a possible trojan written in C if you package something that compiles a *.c file, and you hardly know C. Ask yourself: Can you trust upstream? Do they provide md5sums, or even gpg sigs, for the tarballs? Do other people use and audit the software? But you cannot include pdf files for which no source is included, or only Micro$oft .doc files, in a Debian package: We need the source code, and pdf, even if not compressed, cannot be taken as source code. This doesn't mean that we have to regenerate the pdf file, but we (and our users) must be able to do it. Regards, Frank -- Frank K�ster Inst. f. Biochemie der Univ. Z�rich Debian Developer
