[tex-k] [rhn-admin@rhn.redhat.com: RHN Errata Alert: Command execution vulnerability in dvips]

Stefan Ulrich stefan.ulrich@dsl.pipex.com
Sat, 2 Nov 2002 11:32:42 +0000

If I may bail in on the `political' issue ... ;-)

Reinhard Kotucha <reinhard@kammer.uni-hannover.de> writes:

> But what I'm more concerned about is that RedHat distributes a dvips
> that behaves different than that on other systems.

Which is of course perfectly legitimate, since dvips is free
software ... FWIW, they did the same with xdvik (by adding the
`japanese' extensions). And `we', i.e. the tex-k project, do the
same with the `non-k' programs (the `xdvi' in teTeX is really
`xdvik'). They all behave differently from the non-kpathsea
versions, and the maintainers are not always the same. Having to
rename all these binaries would be a major hassle for all parties
invoved, users as well as developers.  (Just imagine all users
having to learn the different names, and the newsgroup traffic
this would generate ...)

> There is absolutely no reason to make any changes to dvips, it is
> absolutely sufficient to send a bug report.

Granted, there should be better communication between the
distributors and the `upstream' developers.  Currently, in the
case of these major Linux distributors, we seem to have the
situation that the developers need to track the changes made by
the distributors. However ...

> In my opinion, the best way to go is to put dvips under the LPPL.
> Then dvips would be dvips and RedHat has to distribute it under
> another name, i.e. "dvips_broken_by_RedHat".

... I don't think that putting more obstacles into the way, like
a more restrictive license, would improve the situation.  The
LPPL only allows for a `cathedral'-style development, which might
not be the best model to begin with. Personally I think that
competition in the `marketplace' is a good thing; in the case at
hand it did serve to make us aware of the problems still lurking
in dvips.

(Also remember that RedHat, if they wished so, could always
continue to work on a forked version, based on previous code
that had been distributed under the original PD/GPL license).