Comment 46 for bug 711061

Other point of view is, poppler uses its own JPEG2000 parser if openjpeg is not present.

That parser is probably worse security wise than the openjpeg one and the poppler developers just keep it for compatibility, but won't refuse to spend time on it when there's maintained code out there that implements JPEG2000 parsing better.

So maybe by makig openjpeg not go to main you're exposing your users to an even bigger threat