[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-poppler
Subject: Re: Poppler 24.04.0 released
From: William Bader <williambader () hotmail ! com>
Date: 2024-04-02 1:18:08
Message-ID: PAXPR09MB5071557EE4C21B141B273061C43E2 () PAXPR09MB5071 ! eurprd09 ! prod ! outlook ! com
[Download RAW message or body]
Thanks. I was also worried about using xz unnecessary on my fedora laptop.
________________________________
From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of Albert Astals Cid \
<aacid@kde.org>
Sent: Monday, April 1, 2024 6:41 PM
To: poppler@lists.freedesktop.org <poppler@lists.freedesktop.org>
Subject: Re: Poppler 24.04.0 released
El dilluns, 1 d’abril del 2024, a les 20:59:13 (CEST), William Bader va escriure:
> Until the full extent of the recent xz compromise is known, would it be
> possible to distribute in an additional format like bz2?
If you fear my system has been potentially compromised and the tar.xz I created can \
not be trusted, you should not trust the tar.bz2 I created either.
You can create your own tarballs by running
git archive --prefix=poppler-24.4.0/ 0aa1fe5c30a6c467c91bad8d81bd6c2f57fcb726 > \
poppler-24.4.0.tar on the git repository
If you check the
add_custom_target(dist
in CMakeLists.txt that and a few small other things is what is used to create the \
release tarball.
Cheers,
Albert
> The compromise was
> introduced in xz 5.6.0, which is only in bleeding edge distributions, but
> the developer controlled releases starting at 5.3.1.
>
> "backdoor in upstream xz/liblzma leading to ssh server compromise"
> https://www.openwall.com/lists/oss-security/2024/03/29/4
>
> "Linux xz Backdoor Damage Could Be Greater Than Feared"
> https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare
> d/
>
>
>
>
> ________________________________
> From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of Albert
> Astals Cid <aacid@kde.org> Sent: Monday, April 1, 2024 4:08 AM
> To: poppler@lists.freedesktop.org <poppler@lists.freedesktop.org>
> Cc: ftp-release@lists.freedesktop.org <ftp-release@lists.freedesktop.org>
> Subject: Poppler 24.04.0 released
>
> Available from http://poppler.freedesktop.org/poppler-24.04.0.tar.xz
>
> The tarball is signed at
> http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig with my key
> https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3
> A6A4DB839EAA6D7
>
> Release 24.04.0:
> core:
> * Optimize page text extraction speed
> * Fix clipping path handling in some files. Issue #739
> * Fix regression in text selection
> * Fix text search across lines between paragraphs
>
> qt6:
> * Fix crash in SoundObject::data
>
> utils:
> * pdfsig: Add Catalan translation
>
> build system:
> * Build code as C++20
>
> This release was brought to you by Albert Astals Cid, Josep M. Ferrer,
> Nelson Benítez León, Stefan Brüns and everyone else that filed bugs or
> helped with code reviews :)
>
> Testing, patches and bug reports welcome.
>
> Cheers,
> Albert
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<div style="font-family: inherit; font-size: inherit; color: rgb(0, 0, 0);"><br>
</div>
<div>Thanks. I was also worried about using xz unnecessary on my fedora laptop.</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> poppler \
<poppler-bounces@lists.freedesktop.org> on behalf of Albert Astals Cid \
<aacid@kde.org><br> <b>Sent:</b> Monday, April 1, 2024 6:41 PM<br>
<b>To:</b> poppler@lists.freedesktop.org <poppler@lists.freedesktop.org><br>
<b>Subject:</b> Re: Poppler 24.04.0 released</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">El dilluns, 1 d’abril del 2024, a les 20:59:13 (CEST), William \
Bader va escriure:<br> > Until the full extent of the recent xz compromise is \
known, would it be<br> > possible to distribute in an additional format like bz2? \
<br> <br>
If you fear my system has been potentially compromised and the tar.xz I created can \
not be trusted, you should not trust the tar.bz2 I created either.<br> <br>
You can create your own tarballs by running<br>
git archive --prefix=poppler-24.4.0/ 0aa1fe5c30a6c467c91bad8d81bd6c2f57fcb726 \
> poppler-24.4.0.tar<br> on the git repository<br>
<br>
If you check the <br>
add_custom_target(dist<br>
in CMakeLists.txt that and a few small other things is what is used to create the \
release tarball.<br> <br>
Cheers,<br>
Albert<br>
<br>
> The compromise was<br>
> introduced in xz 5.6.0, which is only in bleeding edge distributions, but<br>
> the developer controlled releases starting at 5.3.1.<br>
> <br>
> "backdoor in upstream xz/liblzma leading to ssh server compromise"<br>
> <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">https://www.openwall.com/lists/oss-security/2024/03/29/4</a><br>
> <br>
> "Linux xz Backdoor Damage Could Be Greater Than Feared"<br>
> <a href="https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare">
https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare</a><br>
> d/<br>
> <br>
> <br>
> <br>
> <br>
> ________________________________<br>
> From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of \
Albert<br> > Astals Cid <aacid@kde.org> Sent: Monday, April 1, 2024 4:08 \
AM<br> > To: poppler@lists.freedesktop.org \
<poppler@lists.freedesktop.org><br> > Cc: ftp-release@lists.freedesktop.org \
<ftp-release@lists.freedesktop.org><br> > Subject: Poppler 24.04.0 \
released<br> > <br>
> Available from <a href="http://poppler.freedesktop.org/poppler-24.04.0.tar.xz">
http://poppler.freedesktop.org/poppler-24.04.0.tar.xz</a><br>
> <br>
> The tarball is signed at<br>
> <a href="http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig">http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig</a> \
with my key<br> > <a \
href="https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3">
https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3</a><br>
> A6A4DB839EAA6D7<br>
> <br>
> Release 24.04.0:<br>
> core:<br>
> * Optimize page text extraction speed<br>
> * Fix clipping path handling in some files. Issue #739<br>
> * Fix regression in text selection<br>
> * Fix text search across lines between paragraphs<br>
> <br>
> qt6:<br>
> * Fix crash in SoundObject::data<br>
> <br>
> utils:<br>
> * pdfsig: Add Catalan translation<br>
> <br>
> build system:<br>
> * Build code as C++20<br>
> <br>
> This release was brought to you by Albert Astals Cid, Josep M. Ferrer,<br>
> Nelson Benítez León, Stefan Brüns and everyone else that filed bugs or<br>
> helped with code reviews :)<br>
> <br>
> Testing, patches and bug reports welcome.<br>
> <br>
> Cheers,<br>
> Albert<br>
<br>
<br>
<br>
<br>
</div>
</span></font></div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic