Remove muPDF and switch xpdf:
Note: xpdf is DE free and doesnt depend on particular one.
Xpdf has had plenty of security vulnerabilities too. Mupdf also has a firejail profile. There is even a seccomp patch it can be used with.
I don’t see why it should be switched.
Too old , not happened as a package in debian. (according to the package history)
Not intigrated with firetools.
usability sucks as i said before.
muPDF unfixed security issue in Debian buster.
https://security-tracker.debian.org/tracker/CVE-2019-13290
sounds pretty bad.
Therefore replacement is needed.
//cc @HulaHoop
Just remove the pdf reader for now. There is no rush to find a replacement for installation by default. Giving this time to look at various alternatives and entertain suggestion/discussion.
The other alternative is something that uses poppler as backend. qpdfview is the best UI and feature choice also opens DjVu and postscript formats. Doesn’t pull in a bunch DE specific deps.
Which then stalled. qpdfview package is currently orphaned, not maintained by any Debian maintainer.
Not sure we should make this a factor or keep ignoring https://tracker.debian.org/pkg/`package-name` as we do for most packages. If that was to be applied consistently it might reveal a huge mess of actually non-maintained or less than ideally-maintained packages. Might not be manageable to follow these. An option would be to ignore this, hope, and wait for Debian to take action. Or we could apply looking at tracker.debian.org when considering new packages for installation by default only.
I see then xpdf is the next best option.