Debian Bug report logs -
#637040
RM: t1lib/5.1.2-3
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Mon, 08 Aug 2011 00:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 08 Aug 2011 00:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: rm
Severity: normal
Hi,
t1lib has a significant set of security vulnerablities [0] and there
is no sign of them ever getting fixed with upstream missing in action
for over three years now. Because of these issues, xpdf for example
has dropped support for it in favor of freetype2 [1]. poppler did
this a long time ago as well.
There are a few reverse dependencies, which could also be updated to
use freetype instead. These include:
php5 (php5-gd binary package)
xdvik-ja
vflib3
matita
libimager-perl
lablgtkmathview
grace
evince (libevince3 binary package)
dvipng
I would recommend removing t1lib from the archive. If the release
team concurs with this, I will file serious bugs against the
reverse dependencies.
Once that's done and everyone is in concurrance, I'll send a
message to the ftp masters for removal.
Best wishes,
Mike
[0] http://security-tracker.debian.org/tracker/source-package/t1lib
[1] http://www.foolabs.com/xpdf/download.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Wed, 17 Aug 2011 21:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Wed, 17 Aug 2011 21:30:05 GMT) (full text, mbox, link).
Message #10 received at 637040@bugs.debian.org (full text, mbox, reply):
tag 637040 moreinfo
kthxbye
On Sun, Aug 7, 2011 at 20:36:04 -0400, Michael Gilbert wrote:
> t1lib has a significant set of security vulnerablities [0] and there
> is no sign of them ever getting fixed with upstream missing in action
> for over three years now. Because of these issues, xpdf for example
> has dropped support for it in favor of freetype2 [1]. poppler did
> this a long time ago as well.
>
> There are a few reverse dependencies, which could also be updated to
> use freetype instead. These include:
>
> php5 (php5-gd binary package)
> xdvik-ja
> vflib3
> matita
> libimager-perl
> lablgtkmathview
> grace
> evince (libevince3 binary package)
> dvipng
>
> I would recommend removing t1lib from the archive. If the release
> team concurs with this, I will file serious bugs against the
> reverse dependencies.
>
> Once that's done and everyone is in concurrance, I'll send a
> message to the ftp masters for removal.
>
As said on irc, filing (non-RC for now) bugs against the reverse
dependencies and providing patches as much as possible should happen
prior to any removal. Tagging moreinfo for now.
Cheers,
Julien
Added tag(s) moreinfo.
Request was from Julien Cristau <jcristau@debian.org>
to control@bugs.debian.org.
(Wed, 17 Aug 2011 21:30:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Sun, 21 Aug 2011 16:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Sun, 21 Aug 2011 16:21:03 GMT) (full text, mbox, link).
Message #17 received at 637040@bugs.debian.org (full text, mbox, reply):
tag 637040 -moreinfo
thanks
On Wed, Aug 17, 2011 at 5:26 PM, Julien Cristau wrote:
> As said on irc, filing (non-RC for now) bugs against the reverse
> dependencies and providing patches as much as possible should happen
> prior to any removal. Tagging moreinfo for now.
Bugs are now submitted (with patches for the more popular/important
reverse dependencies):
php5 (bug #638755 with patch)
xdvik-ja (bug #638764)
vflib3 (bug #638756 with patch)
matita (bug #638763)
libimager-perl (bug #638762)
gtkmathview (bug #638761)
grace (bug #638760)
evince (bug #638759 with patch)
dvipng (bug #638757 with patch)
Best wishes,
Mike
Removed tag(s) moreinfo.
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Sun, 21 Aug 2011 16:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Mon, 22 Aug 2011 06:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Mon, 22 Aug 2011 06:21:03 GMT) (full text, mbox, link).
Message #24 received at 637040@bugs.debian.org (full text, mbox, reply):
tag 638755 - patch
tag 638755 moreinfo
thanks
Hi,
On Sunday 21 August 2011 11:01:44 Michael Gilbert wrote:
> package: php5
> version: 5.3.7-1
> severity: important
> tag: patch
>
> t1lib is slated to be removed (in favor of freetype) before wheezy ships
> [0],[1]. This package is currently one of its reverse dependencies.
>
> Attached is a patch that disables t1lib in the build process.
It disables t1lib along with some functions, so no, that's not a patch that
we'd use.
For context, the following are the PHP functions that require t1lib:
imagepsloadfont
imagepsfreefont
imagepsencodefont
imagepsextendfont
imagepsslantfont
imagepstext
imagepsbbox
I'm not sure what it would take to make those functions compatibility wrappers
around ft2-based functions.
@Pierre: as upstream maintainer, what's your opinion on making this change
upstream? (possibly for 5.4?)
The primary reason for this change is stated at http://bugs.debian.org/637040
At least the phpdoc needs to be more explicit that the imageft* functions also
support Type 1 fonts.
As far as I can see some basic features could already be implemented, but I
don't know how imagepstext()'s anti-aliasing, font slanting, text tightness,
and space differ from ft2-equivalents, if any, or how to provide them in the
wrappers.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Tue, 31 Jan 2012 12:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Tue, 31 Jan 2012 12:54:03 GMT) (full text, mbox, link).
Message #29 received at 637040@bugs.debian.org (full text, mbox, reply):
We will be unable to drop t1lib unless we break the existing API (which we
could do, but users will be sad...)
On Tue, Jan 31, 2012 at 13:39, Pierre Joye <pierre.php@gmail.com> wrote:
> hi,
>
> It is easy to emulate the function, not the rendering. Even in the
> various ft2 versions and options, the rendering can differ.
>
> I was planing to drop t1lib in php-next, but not 5.4 (too late and no
> BC break allowed, APIs wised), but that's something good for the next
> php major version.
>
On Mon, Aug 22, 2011 at 08:17, Raphael Geissert <geissert@debian.org> wrote:
> tag 638755 - patch
> tag 638755 moreinfo
> thanks
>
> Hi,
>
> On Sunday 21 August 2011 11:01:44 Michael Gilbert wrote:
>> package: php5
>> version: 5.3.7-1
>> severity: important
>> tag: patch
>>
>> t1lib is slated to be removed (in favor of freetype) before wheezy ships
>> [0],[1]. This package is currently one of its reverse dependencies.
>>
>> Attached is a patch that disables t1lib in the build process.
>
> It disables t1lib along with some functions, so no, that's not a patch that
> we'd use.
>
> For context, the following are the PHP functions that require t1lib:
>
> imagepsloadfont
> imagepsfreefont
> imagepsencodefont
> imagepsextendfont
> imagepsslantfont
> imagepstext
> imagepsbbox
>
> I'm not sure what it would take to make those functions compatibility wrappers
> around ft2-based functions.
>
> @Pierre: as upstream maintainer, what's your opinion on making this change
> upstream? (possibly for 5.4?)
> The primary reason for this change is stated at http://bugs.debian.org/637040
>
> At least the phpdoc needs to be more explicit that the imageft* functions also
> support Type 1 fonts.
>
> As far as I can see some basic features could already be implemented, but I
> don't know how imagepstext()'s anti-aliasing, font slanting, text tightness,
> and space differ from ft2-equivalents, if any, or how to provide them in the
> wrappers.
>
> Cheers,
> --
> Raphael Geissert - Debian Developer
> www.debian.org - get.debian.net
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej@sury.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#637040; Package release.debian.org.
(Fri, 06 Apr 2012 21:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>.
(Fri, 06 Apr 2012 21:00:02 GMT) (full text, mbox, link).
Message #34 received at 637040@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
2012/1/31 Ondřej Surý
> We will be unable to drop t1lib unless we break the existing API (which we
> could do, but users will be sad...)
>
Which aspect of the API necessarily would need to break? Raphael had
indicated that it may be possible to rewrite some of the function wrappers.
Theoretically one could try to preserve those API calls even though the
internals may change.
Best wishes,
Mike
[Message part 2 (text/html, inline)]
Reply sent
to Niels Thykier <niels@thykier.net>:
You have taken responsibility.
(Tue, 15 Apr 2014 18:27:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Tue, 15 Apr 2014 18:27:06 GMT) (full text, mbox, link).
Message #41 received at 637040-done@bugs.debian.org (full text, mbox, reply):
On 2011-08-08 02:36, Michael Gilbert wrote:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: rm
> Severity: normal
>
> Hi,
>
> t1lib has a significant set of security vulnerablities [0] and there
> is no sign of them ever getting fixed with upstream missing in action
> for over three years now. Because of these issues, xpdf for example
> has dropped support for it in favor of freetype2 [1]. poppler did
> this a long time ago as well.
>
> There are a few reverse dependencies, which could also be updated to
> use freetype instead. These include:
>
> php5 (php5-gd binary package)
> xdvik-ja
> vflib3
> matita
> libimager-perl
> lablgtkmathview
> grace
> evince (libevince3 binary package)
> dvipng
>
> I would recommend removing t1lib from the archive. If the release
> team concurs with this, I will file serious bugs against the
> reverse dependencies.
>
> Once that's done and everyone is in concurrance, I'll send a
> message to the ftp masters for removal.
>
> Best wishes,
> Mike
>
> [0] http://security-tracker.debian.org/tracker/source-package/t1lib
> [1] http://www.foolabs.com/xpdf/download.html
>
>
>
As stated in #742793, we have added a removal hint for t1lib.
Accordingly, I am closing this bug.
~Niels
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 May 2014 07:29:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 01:45:03 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.