Comment 48 for bug 711061

Albert, I get what you're saying. But there's a big difference between Ubuntu putting a library in main and a pdf library embedding a copy of that library.

If we put a library in main, it means other packages may start depending on it (and ones that already do can enter main easier). And app developers may depend on it more, since we are promising to officially support it.

Whereas an embedded copy inside a pdf library inherently has a smaller security surface. It's only used for a certain purpose. While pdfs are certainly widely used, they are less widely used than images.

Although, the fact that poppler is shipping copies of unmaintained code is not great either. And we probably shouldn't be enabling poppler's jpeg2000 support if poppler upstream isn't even maintaining its own copy well. That's just sneaking a burden onto the security team.

The security team is already on the hook for one jpeg2000 parser in main (jasper). It's used by gimp, libraw, and gegl (among some other consumers in universe). While jasper's certainly a dead library, the other jpeg2000 options don't seem much better either. Jasper doesn't seem to have ever had a MIR, so it must be grandfathered in from early days.

Given the security team's NAK for openjpeg, the best way forward for jpeg2000 support in poppler would be to port poppler to jasper. That wouldn't need a MIR and would reduce our existing security surface.

I know it's been said in this MIR that jasper is missing some features (or can't handle some images that openjpeg can). Which is a bummer, agreed.