-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Try poppler's pdftoppm before imagemagick's convert (pdf to png) #47
Comments
I don't recommend that, really. If you'd like to link me to a discussion of why you shouldn't remove it, I'd be happy to include it in the FAQ as well.
'convert' is indeed used only in restore. This would remove the dependency on 'convert' but not on 'imagemagick' so I'll change the title accordingly. (zbar and python-pillow both use imagemagick) If you want to patch zbar, I'd encourage you. It's a bit past me, and the maintainer is really only keeping the video4linux drivers up to date as best I can tell. |
Sorry, lacking context a bit here, recommend what?
I'm not sure I have that on hand exactly. But there are actual security advisories where the fix was to do exactly the thing you hint at removing. If you want I can find that, but it's pretty formal "there was a vuln and this is the patch" kind of thing...
Awesome, glad to hear that! :)
Okay, that's interesting, actually. I had noticed the "magick" references in the zbar source code, and this is a concern for me. But at least it's not a direct dependence of your project. In theory, zbar and pillow could both be fixed to reimplement things natively or with other libraries. And they have their own ways of dealing with security issues (or not)...
yeah, I'm not sure I want to go there either, especially since upstream doesn't seem that responsive towards your relatively simple patch. :)
And how about toning down that message? Would you accept a PR for that? :) |
I think you're confusing me with someone's opinion in the stackoverflow discussion I link to. I have my personal opinions, they're not informed enough for me to promote them as recommendations.
zbar has been responsive to my patches in the past, I'm not sure why that particular one got ignored. I like the message how it is. I think failing to check restore actually is a serious failure. If you think I could make it clearer on the other hand, feel free to suggest something. |
i'm specifically refering to this wording in the FAQ: Lines 243 to 247 in 5972066
maybe it's too much of a stretch to say you "recommend" it, let's just call it even and say you refer to this procedure as a workaround. :) at least the wording of the error message strongly indicates this problem should be fixed somewhat. |
OK, looks like the biggest problem with poppler would be platform-compatibility (largely linux-only atm). So we wouldn't remove imagemagick as an option, just try poppler first. |
I frankly don't care much about other platforms, personnally.. there's typically a way to do things there, either with Windows Linux Subsystem or MacOS homebrew... That said, it looks like poppler does have "unofficial CI" for Mac and Windows here: https://poppler.freedesktop.org/#ci so i bet it's installable there...
but yeah that works too. |
oh, just realized another thing... some apps have started migrating away from poppler towards mupdf, e.g. i was about to suggest using mupdf instead, remembering dealing with poppler security issues in the past, but after browsing those two pages: https://www.cvedetails.com/product/24992/Freedesktop-Poppler.html?vendor_id=7971 https://www.cvedetails.com/product/20840/Artifex-Mupdf.html?vendor_id=10846 .... I can't say I recommend either of those, security wise. but yeah, i just found out that mupdf also ships a |
In the FAQ you recommend disabling the security measures in place in Debian and Ubuntu that keep ImageMagick from generating PDFs.
As someone who has work with the Debian LTS security team, I can tell you those measures should not be removed. ImageMagick is an infested nest of security issues, and those measures are there because we could not find a reasonable way to fix all of those issues while keeping the software inside Debian.
I would recommend removing the
convert
dependency. I haven't looked in details, but it looks like it's only used on restore, to convert the PDF into a raster format zbar can parse. That can be done with something else! Alternatives include poppler (used by dangerzone) or GaphicsMagick, although the latter has similar problems thanpoppler also has a pypi wrapper although that's not package in Debian...
i also noticed mchehab/zbar#227 which tries to improve zbar to be able to parse PDFs itself properly, but that also seems similarly error-prone... poppler could probably be used by zbar instead!
anyways, at least make that warning look a little less scary:
... at first glance I thought the thing didn't work at all!
thanks for this really interesting software!
The text was updated successfully, but these errors were encountered: