'Re: Poppler 24.04.0 released'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freedesktop-poppler
Subject:    Re: Poppler 24.04.0 released
From:       William Bader <williambader () hotmail ! com>
Date:       2024-04-02 1:18:08
Message-ID: PAXPR09MB5071557EE4C21B141B273061C43E2 () PAXPR09MB5071 ! eurprd09 ! prod ! outlook ! com
[Download RAW message or body]

Thanks. I was also worried about using xz unnecessary on my fedora laptop.
________________________________
From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of Albert Astals Cid \
                <aacid@kde.org>
Sent: Monday, April 1, 2024 6:41 PM
To: poppler@lists.freedesktop.org <poppler@lists.freedesktop.org>
Subject: Re: Poppler 24.04.0 released

El dilluns, 1 d’abril del 2024, a les 20:59:13 (CEST), William Bader va escriure:
> Until the full extent of the recent xz compromise is known, would it be
> possible to distribute in an additional format like bz2?

If you fear my system has been potentially compromised and the tar.xz I created can \
not be trusted, you should not trust the tar.bz2 I created either.

You can create your own tarballs by running
  git archive --prefix=poppler-24.4.0/ 0aa1fe5c30a6c467c91bad8d81bd6c2f57fcb726 > \
poppler-24.4.0.tar on the git repository

If you check the
  add_custom_target(dist
in CMakeLists.txt that and a few small other things is what is used to create the \
release tarball.

Cheers,
  Albert

> The compromise was
> introduced in xz 5.6.0, which is only in bleeding edge distributions, but
> the developer controlled releases starting at 5.3.1.
> 
> "backdoor in upstream xz/liblzma leading to ssh server compromise"
> https://www.openwall.com/lists/oss-security/2024/03/29/4
> 
> "Linux xz Backdoor Damage Could Be Greater Than Feared"
> https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare
> d/
> 
> 
> 
> 
> ________________________________
> From: poppler <poppler-bounces@lists.freedesktop.org> on behalf of Albert
> Astals Cid <aacid@kde.org> Sent: Monday, April 1, 2024 4:08 AM
> To: poppler@lists.freedesktop.org <poppler@lists.freedesktop.org>
> Cc: ftp-release@lists.freedesktop.org <ftp-release@lists.freedesktop.org>
> Subject: Poppler 24.04.0 released
> 
> Available from http://poppler.freedesktop.org/poppler-24.04.0.tar.xz
> 
> The tarball is signed at
> http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig with my key
> https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3
> A6A4DB839EAA6D7
> 
> Release 24.04.0:
> core:
> * Optimize page text extraction speed
> * Fix clipping path handling in some files. Issue #739
> * Fix regression in text selection
> * Fix text search across lines between paragraphs
> 
> qt6:
> * Fix crash in SoundObject::data
> 
> utils:
> * pdfsig: Add Catalan translation
> 
> build system:
> * Build code as C++20
> 
> This release was brought to you by Albert Astals Cid, Josep M. Ferrer,
> Nelson Benítez León, Stefan Brüns and everyone else that filed bugs or
> helped with code reviews :)
> 
> Testing, patches and bug reports welcome.
> 
> Cheers,
> Albert


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<div style="font-family: inherit; font-size: inherit; color: rgb(0, 0, 0);"><br>
</div>
<div>Thanks. I was also worried about using xz unnecessary on my fedora laptop.</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> poppler \
&lt;poppler-bounces@lists.freedesktop.org&gt; on behalf of Albert Astals Cid \
&lt;aacid@kde.org&gt;<br> <b>Sent:</b> Monday, April 1, 2024 6:41 PM<br>
<b>To:</b> poppler@lists.freedesktop.org &lt;poppler@lists.freedesktop.org&gt;<br>
<b>Subject:</b> Re: Poppler 24.04.0 released</font>
<div>&nbsp;</div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">El dilluns, 1 d’abril del 2024, a les 20:59:13 (CEST), William \
Bader va escriure:<br> &gt; Until the full extent of the recent xz compromise is \
known, would it be<br> &gt; possible to distribute in an additional format like bz2? \
<br> <br>
If you fear my system has been potentially compromised and the tar.xz I created can \
not be trusted, you should not trust the tar.bz2 I created either.<br> <br>
You can create your own tarballs by running<br>
&nbsp; git archive --prefix=poppler-24.4.0/ 0aa1fe5c30a6c467c91bad8d81bd6c2f57fcb726 \
&gt; poppler-24.4.0.tar<br> on the git repository<br>
<br>
If you check the <br>
&nbsp; add_custom_target(dist<br>
in CMakeLists.txt that and a few small other things is what is used to create the \
release tarball.<br> <br>
Cheers,<br>
&nbsp; Albert<br>
<br>
&gt; The compromise was<br>
&gt; introduced in xz 5.6.0, which is only in bleeding edge distributions, but<br>
&gt; the developer controlled releases starting at 5.3.1.<br>
&gt; <br>
&gt; &quot;backdoor in upstream xz/liblzma leading to ssh server compromise&quot;<br>
&gt; <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">https://www.openwall.com/lists/oss-security/2024/03/29/4</a><br>
 &gt; <br>
&gt; &quot;Linux xz Backdoor Damage Could Be Greater Than Feared&quot;<br>
&gt; <a href="https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare">
 https://thenewstack.io/linux-xz-backdoor-damage-could-be-greater-than-feare</a><br>
&gt; d/<br>
&gt; <br>
&gt; <br>
&gt; <br>
&gt; <br>
&gt; ________________________________<br>
&gt; From: poppler &lt;poppler-bounces@lists.freedesktop.org&gt; on behalf of \
Albert<br> &gt; Astals Cid &lt;aacid@kde.org&gt; Sent: Monday, April 1, 2024 4:08 \
AM<br> &gt; To: poppler@lists.freedesktop.org \
&lt;poppler@lists.freedesktop.org&gt;<br> &gt; Cc: ftp-release@lists.freedesktop.org \
&lt;ftp-release@lists.freedesktop.org&gt;<br> &gt; Subject: Poppler 24.04.0 \
released<br> &gt; <br>
&gt; Available from <a href="http://poppler.freedesktop.org/poppler-24.04.0.tar.xz">
http://poppler.freedesktop.org/poppler-24.04.0.tar.xz</a><br>
&gt; <br>
&gt; The tarball is signed at<br>
&gt; <a href="http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig">http://poppler.freedesktop.org/poppler-24.04.0.tar.xz.sig</a> \
with my key<br> &gt; <a \
href="https://pgp.surfnet.nl/pks/lookup?op=get&amp;search=0xCA262C6C83DE4D2FB28A332A3">
 https://pgp.surfnet.nl/pks/lookup?op=get&amp;search=0xCA262C6C83DE4D2FB28A332A3</a><br>
 &gt; A6A4DB839EAA6D7<br>
&gt; <br>
&gt; Release 24.04.0:<br>
&gt; core:<br>
&gt;&nbsp; * Optimize page text extraction speed<br>
&gt;&nbsp; * Fix clipping path handling in some files. Issue #739<br>
&gt;&nbsp; * Fix regression in text selection<br>
&gt;&nbsp; * Fix text search across lines between paragraphs<br>
&gt; <br>
&gt; qt6:<br>
&gt;&nbsp; * Fix crash in SoundObject::data<br>
&gt; <br>
&gt; utils:<br>
&gt;&nbsp; * pdfsig: Add Catalan translation<br>
&gt; <br>
&gt; build system:<br>
&gt;&nbsp; * Build code as C++20<br>
&gt; <br>
&gt; This release was brought to you by Albert Astals Cid, Josep M. Ferrer,<br>
&gt; Nelson Benítez León, Stefan Brüns and everyone else that filed bugs or<br>
&gt; helped with code reviews :)<br>
&gt; <br>
&gt; Testing, patches and bug reports welcome.<br>
&gt; <br>
&gt; Cheers,<br>
&gt;&nbsp;&nbsp; Albert<br>
<br>
<br>
<br>
<br>
</div>
</span></font></div>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic