[XeTeX] How to manually create the xelatex.fmt?

Peter Dyballa Peter_Dyballa at Web.DE
Fri Oct 21 16:09:00 CEST 2011


Am 21.10.2011 um 01:42 schrieb Chris Travers:

> At the time a large portion of the industry was writing software
> statically linked against zlib

I think it wasn't zlib, it was versions of zlib, presumingly dozens.

> 
> If TexLive had been around in 2002 and was statically linking to zlib,
> it would have been affected too.

Again: what is the effort or danger of overwriting 50 MB of non-system files? In TeX Live we had even larger updates of its infrastructure (there was a famous bug in pdfTeX).

> 
> Similarly, arbitrary code execution vulnerabilities have been found in
> 2005 in libjpeg (also linked to by LaTeX and XeTeX).  Again these
> predate TexLive.

And they only can be exploited in old Linux systems with executable stacks and without role based access control. I wouldn't care for such half-baked "vulnerabilities". I'd classify them as marketing talk.

> 
> So my answer is that TexLive binaries, distributed as they currently
> are, are simply too young to have hit the major cases of these
> problems so far.

If my old memory serves me well, then I must have met my first TeX binaries and libraries 25 (?) years ago. Too late?

> However, the library dependencies are anything but
> trivial-- ldd gives me 17 libraries that xetex is linked against and
> 15 that latex is linked against.  It seems for those of us with a
> longer memory, extensive static linking is asking for trouble....

Therefore you should go pro and use TeX Live with its statically linked binaries! Absolutely no trouble with 15 or 17 shared libraries the system might find somewhere or somewhere else (where it has been substituted with a carefully crafted one) or not at all.

--
Greetings

  Pete

"Debugging? Klingons do not debug! Our software does not coddle the weak."




More information about the XeTeX mailing list