Re: [Podofo-users] Releasing 0.9.7 ?

2019-11-12 Thread Mattia Rizzolo 
On Tue, Nov 05, 2019 at 10:56:49PM +0100, Matthew Brincke wrote:
> I don't think a new release should contain any known security issues,
> and if I recall correctly this was already deprioritised in 0.9.6, it'd
> disappoint me if this happened again.

Well, IMHO it's not something to be ashemed of :)
Bugs happen all the time to all kind of projects, security issues are
just one kind of them.  Considering the flow and the rate at which they
are being fixed, it just feels to me that some are going to take quite a
while more to see a fix.

> Is it still called "cherry-picking"
> when all the patches are taken into the packaging, or is there something
> to exclude from the Debian package (if I'm informed right, 0.9.7 is to be
> a bugfix-only release)?

I'm not sure what you mean here.  Clearly, every time I take a single
commit into the packaging that is not part of the base release, that's
called "cherry-picking", isn't it?

I'm not particularly bothered by the cherry-picking per se, just that at
one point it can get tricky to apply patches that are conflicting with
each other, plus due to the nature of this project that doesn't consider
ABI stability yet we also have to double check that the ABI isn't broken
(like it happened a couple of years ago), so it's just somewhat annoying
at times.

> > Are there any particular blockers for 0.9.7 at this time?
> 
> I would also like to work on a fix for CVE-2018-8002 if it's understood
> that it would entail a technical limit for nesting as there are limits
> given in an appendix of the PDF spec (free PDF32000_2008.pdf). For me,
> getting acceptance on what should be in the special (documentation)
> revision 2000 (see other ML post, please) would come first.

Yes, I've seen the posts about r2000.  I see we are only a commi away
from it ;)


In any case, just take this thread of mine as a kind request for a new
release, nothing more.  I have to take on commits for the debian stable
releases anyway, so I'm going to survive either way!  No need to hurry
or anything.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Releasing 0.9.7 ?

2019-11-05 Thread Matthew Brincke 
> On 29 October 2019 at 13:24 Mattia Rizzolo  wrote:
> 
> Hello,

Hello Mattia, hello all,

> I believe it's high time for a new PoDoFo release.
> It has been slightly more than one year since the last one was done.
> Alright, there are still a few CVEs and other bugs opened, but many
> have been fixed in the same time, and it's getting slightly annoying to
> keep cherry-picking patches. Also, it's likely that more will appear
> the more we wait, so it doesn't make much sense to wait more.

I don't think a new release should contain any known security issues,
and if I recall correctly this was already deprioritised in 0.9.6, it'd
disappoint me if this happened again. Is it still called "cherry-picking"
when all the patches are taken into the packaging, or is there something
to exclude from the Debian package (if I'm informed right, 0.9.7 is to be
a bugfix-only release)?
> Are there any particular blockers for 0.9.7 at this time?

I would also like to work on a fix for CVE-2018-8002 if it's understood
that it would entail a technical limit for nesting as there are limits
given in an appendix of the PDF spec (free PDF32000_2008.pdf). For me,
getting acceptance on what should be in the special (documentation)
revision 2000 (see other ML post, please) would come first.

> --regards, Mattia Rizzolo

Best regards, mabri


___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Releasing 0.9.7 ?

2019-10-29 Thread Mattia Rizzolo 
Hello,

I believe it's high time for a new PoDoFo release.
It has been slighly more than one year since the last one was done.

Alright, there are still a few CVEs and other bugs opeened, but many
have been fixed in the same time, and it's getting slighly annoying to
keep cherry-picking patches.  Also, it's likely that more will appear
the more we wait, so it doesn't make much sense to wait more.

Are there any particular blockers for 0.9.7 at this time?

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users