Remove muPDF and switch xpdf for better security

Remove muPDF and switch xpdf:

  • It has better usability like finding page number , showing scrolling bar , opening file from within the pdf…etc
  • It has default firejail sandboxing profiles which can be even viewed using firetools
  • mupdf has multiple security issues found inside it.

Note: xpdf is DE free and doesnt depend on particular one.

1 Like

Xpdf has had plenty of security vulnerabilities too. Mupdf also has a firejail profile. There is even a seccomp patch it can be used with.

I don’t see why it should be switched.

1 Like

Too old , not happened as a package in debian. (according to the package history)

Not intigrated with firetools.

usability sucks as i said before.

1 Like

muPDF unfixed security issue in Debian buster.

sounds pretty bad.

Therefore replacement is needed.

//cc @HulaHoop

Just remove the pdf reader for now. There is no rush to find a replacement for installation by default. Giving this time to look at various alternatives and entertain suggestion/discussion.

The other alternative is something that uses poppler as backend. qpdfview is the best UI and feature choice also opens DjVu and postscript formats. Doesn’t pull in a bunch DE specific deps.

1 Like

ITA: Someone intends to adopt this package. normal

Which then stalled. qpdfview package is currently orphaned, not maintained by any Debian maintainer.

Not sure we should make this a factor or keep ignoring`package-name` as we do for most packages. If that was to be applied consistently it might reveal a huge mess of actually non-maintained or less than ideally-maintained packages. Might not be manageable to follow these. An option would be to ignore this, hope, and wait for Debian to take action. Or we could apply looking at when considering new packages for installation by default only.

I see then xpdf is the next best option.