[tex-k] [email@example.com: RHN Errata Alert: Command execution vulnerability in dvips]
Sat, 2 Nov 2002 11:32:42 +0000
If I may bail in on the `political' issue ... ;-)
Reinhard Kotucha <firstname.lastname@example.org> writes:
> But what I'm more concerned about is that RedHat distributes a dvips
> that behaves different than that on other systems.
Which is of course perfectly legitimate, since dvips is free
software ... FWIW, they did the same with xdvik (by adding the
`japanese' extensions). And `we', i.e. the tex-k project, do the
same with the `non-k' programs (the `xdvi' in teTeX is really
`xdvik'). They all behave differently from the non-kpathsea
versions, and the maintainers are not always the same. Having to
rename all these binaries would be a major hassle for all parties
invoved, users as well as developers. (Just imagine all users
having to learn the different names, and the newsgroup traffic
this would generate ...)
> There is absolutely no reason to make any changes to dvips, it is
> absolutely sufficient to send a bug report.
Granted, there should be better communication between the
distributors and the `upstream' developers. Currently, in the
case of these major Linux distributors, we seem to have the
situation that the developers need to track the changes made by
the distributors. However ...
> In my opinion, the best way to go is to put dvips under the LPPL.
> Then dvips would be dvips and RedHat has to distribute it under
> another name, i.e. "dvips_broken_by_RedHat".
... I don't think that putting more obstacles into the way, like
a more restrictive license, would improve the situation. The
LPPL only allows for a `cathedral'-style development, which might
not be the best model to begin with. Personally I think that
competition in the `marketplace' is a good thing; in the case at
hand it did serve to make us aware of the problems still lurking
(Also remember that RedHat, if they wished so, could always
continue to work on a forked version, based on previous code
that had been distributed under the original PD/GPL license).