Request for package CUPS-PDF, please put the "cups-pdf" into Factory's official repository. (was: [opensuse-factory] Request for package the "etckeeper", please put the "etckeeper" into Factory's official repository .)
Hi all.
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS.
Official site: http://www.cups-pdf.de/
When you want to make PDF files, we can get them easily by specifying
printer to CUPS-PDF.
Moreover, CUPS-PDF is useful for trouble shooting, when we have
troubles on real printing.
CUPS-PDF is already packaged in Debian, Ubuntu and Fedora.
And their official repository have "cups-pdf".
The "cups-pdf" is already contained in the Printing repository.
http://software.opensuse.org/package/cups-pdf?search_term=cups-pdf
https://build.opensuse.org/package/show?project=Printing&package=cups-pdf
I request role of "bug owner".
https://build.opensuse.org/request/show/238120
I created submit request to Factory.
https://build.opensuse.org/request/show/238121
--
1xx
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-20 16:15 GMT+09:00 Ludwig Nussel
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user?
Sure, CUPS-PDF accepts the demands from users, and runs as root. We need to be careful.
Better ask security to take a look.
What should I do? Should it contact to opensuse-security ML? I wrote:
I request role of "bug owner". https://build.opensuse.org/request/show/238120
It was declined.
--
1xx
1xx wrote:
2014-06-20 16:15 GMT+09:00 Ludwig Nussel
: 1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user?
Sure, CUPS-PDF accepts the demands from users, and runs as root. We need to be careful.
Better ask security to take a look.
What should I do? Should it contact to opensuse-security ML?
For example, yes.
I wrote:
I request role of "bug owner". https://build.opensuse.org/request/show/238120
It was declined.
Sounds confused to me. The bugowner role doesn't gain you much anyways though. You may want head for the maintainer role instead. For that I guess you have to prove you are qualified with good submissions first. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Freitag, 20. Juni 2014 schrieb Ludwig Nussel:
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look.
Does it at least write to a "hardcoded" location (for example ~/cupspdf) in the user's home directory? If yes, shipping it with an AppArmor profile would be a good idea. (If needed, I can help you to fine-tune the profile, however I'm too busy at the moment. I'll have more time in July - at least I hope so ;-) Even if the output directory is user-configurable, having an AppArmor profile could help to avoid access to security-critical files - but of course a restriction like "only allow write access in ~/cupspdf" is much more secure. Regards, Christian Boltz -- Linux - und dein PC macht nie wieder blau. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-20 20:50 GMT+09:00 Christian Boltz
Am Freitag, 20. Juni 2014 schrieb Ludwig Nussel:
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look.
Does it at least write to a "hardcoded" location (for example ~/cupspdf) in the user's home directory?
If yes, shipping it with an AppArmor profile would be a good idea. (If needed, I can help you to fine-tune the profile, however I'm too busy at the moment. I'll have more time in July - at least I hope so ;-)
Even if the output directory is user-configurable, having an AppArmor profile could help to avoid access to security-critical files - but of course a restriction like "only allow write access in ~/cupspdf" is much more secure.
By default, CUPS-PDF outputs to /var/spool/cups-pdf/.
mitsutoshi@linux-3br4:/var/spool/cups-pdf> LANG=C ls -la
total 16
drwxr-xr-x 4 root root 4096 Jun 15 15:15 .
drwxr-xr-x 15 root root 4096 Jun 15 15:09 ..
drwxr-x--x 2 root lp 4096 Jun 15 15:15 SPOOL
drwx------ 2 mitsutoshi users 4096 Jun 15 15:15 mitsutoshi
We can customize it in "/etc/cups/cups-pdf.conf".
Ubuntu customizes it to "{$HOME}/PDF".
Fedora customizes it to "{$DESKTOP}".
The openSUSE's "Printing/cups-pdf" uses default.
I think that "maintenance of the status quo" is desirable.
Because many users have already used "Printing/cups-pdf".
Thanks.
--
1xx
On 20 June 2014 14:07, 1xx
By default, CUPS-PDF outputs to /var/spool/cups-pdf/. ... Ubuntu customizes it to "{$HOME}/PDF". Fedora customizes it to "{$DESKTOP}".
The openSUSE's "Printing/cups-pdf" uses default. I think that "maintenance of the status quo" is desirable. Because many users have already used "Printing/cups-pdf".
Using /var/spool/cups-pdf is *very* un-discoverable to the average new user and shouldn't be used. Using the name "CUPS" in anything should also be discouraged as the average user doesn't know what that is (nor should they ever need to learn). Placing it somewhere in their home directory is not only more obvious but also probably more secure. I'd suggest not to use $Desktop though as modern KDE doesn't show desktop icons by default, so something like {$HOME}/PDF or "{$HOME}/Documents/PDF Printer" makes most sense to me. John. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 20 Jun 2014 16:49, John Layt
On 20 June 2014 14:07, 1xx
wrote: By default, CUPS-PDF outputs to /var/spool/cups-pdf/. ... Ubuntu customizes it to "{$HOME}/PDF". Fedora customizes it to "{$DESKTOP}".
The openSUSE's "Printing/cups-pdf" uses default. I think that "maintenance of the status quo" is desirable. Because many users have already used "Printing/cups-pdf".
Using /var/spool/cups-pdf is *very* un-discoverable to the average new user and shouldn't be used. Using the name "CUPS" in anything should also be discouraged as the average user doesn't know what that is (nor should they ever need to learn). Placing it somewhere in their home directory is not only more obvious but also probably more secure. I'd suggest not to use $Desktop though as modern KDE doesn't show desktop icons by default, so something like {$HOME}/PDF or "{$HOME}/Documents/PDF Printer" makes most sense to me.
From the security aspect, either create a 'run-as-user' wrapper and allow writing in $HOME (I'd prefer a subdir, like {$HOME}/PDF or "{$HOME}/Documents/PDF_Printer") or, let it run as root, and use /var/spool/cups-pdf/$USER/ with a link created in $HOME, see preferred names above, pointing there.
- Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-21 0:04 GMT+09:00 Yamaban
On Fri, 20 Jun 2014 16:49, John Layt
wrote: On 20 June 2014 14:07, 1xx
wrote:
Ubuntu customizes it to "{$HOME}/PDF". Fedora customizes it to "{$DESKTOP}".
Using /var/spool/cups-pdf is *very* un-discoverable to the average new user and shouldn't be used. Using the name "CUPS" in anything should also be discouraged as the average user doesn't know what that is (nor should they ever need to learn). Placing it somewhere in their home directory is not only more obvious but also probably more secure. I'd suggest not to use $Desktop though as modern KDE doesn't show desktop icons by default, so something like {$HOME}/PDF or "{$HOME}/Documents/PDF Printer" makes most sense to me.
From the security aspect, either create a 'run-as-user' wrapper and allow writing in $HOME (I'd prefer a subdir, like {$HOME}/PDF or "{$HOME}/Documents/PDF_Printer") or, let it run as root, and use /var/spool/cups-pdf/$USER/ with a link created in $HOME, see preferred names above, pointing there.
Although it swerves from a subject for discussion,
Xdg user directories (Desktop, Documents...) are un-userfriendly.
https://wiki.archlinux.org/index.php/Xdg_user_directories
I think that us-ascii users hardly feels a problem.
But, the other characters cannot be displayed by console.
At CJK, we cannot input characters by console.
Therefore, we can not even cd to Xdg user directories.
By GUI, when IME breaks down, we can not cd to them too.
Then, in Japan, many people changed to English directories.
http://lists.opensuse.org/archive/opensuse-ja/2013-02/msg00013.html
Therefore, I am opposed to the proposal
which makes files or directories to Xdg user directories.
I like $HOME/PDF.
--
1xx
2014-06-20 20:50 GMT+09:00 Christian Boltz
Am Freitag, 20. Juni 2014 schrieb Ludwig Nussel:
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look.
Does it at least write to a "hardcoded" location (for example ~/cupspdf) in the user's home directory?
If yes, shipping it with an AppArmor profile would be a good idea. (If needed, I can help you to fine-tune the profile, however I'm too busy at the moment. I'll have more time in July - at least I hope so ;-)
Even if the output directory is user-configurable, having an AppArmor profile could help to avoid access to security-critical files - but of course a restriction like "only allow write access in ~/cupspdf" is much more secure.
I wrote a mail to opensuse-security ML. http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html Johannes gave the reply.
Do the necessary changes to get the resulting PDF delivered to the users home directory. With that writing a AppArmor policy should be straight forward. If you provide a policy I'll review it.
Christian, May I request you about AppArmor?
I read /etc/apparmor/* and /etc/apparmor.d/*,
and I am studying about AppArmor now.
But It is difficult for me.
If you have an opinion, please say it. >all
http://lists.opensuse.org/opensuse-factory/2014-06/msg00169.html
Thanks.
--
1xx
Hello, On Jun 23 18:19 1xx wrote (excerpt):
I wrote a mail to opensuse-security ML. http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html
Johannes gave the reply.
Do the necessary changes to get the resulting PDF delivered to the users home directory. With that writing a AppArmor policy should be straight forward. If you provide a policy I'll review it.
That "Johannes" was not me. Who was it? I don't see a reply on http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html Regardless who wrote what: Mitsutoshi Nakano, I appreciate very much that you work on cups-pdf. Please continue your work - or alternatively focus on boomaga. Regarding cups-pdf there is also https://features.opensuse.org/312322 In the end openSUSE should provide a single consistent solution for the general "make a PDF file" issue. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-23 18:56 GMT+09:00 Johannes Meixner
On Jun 23 18:19 1xx wrote (excerpt):
I wrote a mail to opensuse-security ML. http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html
Johannes gave the reply.
Do the necessary changes to get the resulting PDF delivered to the users home directory. With that writing a AppArmor policy should be straight forward. If you provide a policy I'll review it.
That "Johannes" was not me. Who was it? I don't see a reply on http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html
Regardless who wrote what:
Johannes Segitz
2014-06-23 19:21 GMT+09:00 1xx
2014-06-23 18:56 GMT+09:00 Johannes Meixner
: On Jun 23 18:19 1xx wrote (excerpt):
Johannes gave the reply.
Do the necessary changes to get the resulting PDF delivered to the users home directory. With that writing a AppArmor policy should be straight forward. If you provide a policy I'll review it.
That "Johannes" was not me. Who was it? I don't see a reply on http://lists.opensuse.org/opensuse-security/2014-06/msg00017.html
Regardless who wrote what:
Johannes Segitz
said it. It is a whole sentence.
I noticed now, its mail was delivered only to me. I apologize for having shown inaccurate URL.
About cups-pdf, I will write later.
--
1xx
2014-06-23 19:21 GMT+09:00 1xx
About cups-pdf, I will write later.
The needs to print on a virtual printer exists.
I thought that Boomaga substituted for "CUPS-PDF",
but Ludwig said that Boomaga have problems.
http://lists.opensuse.org/archive/opensuse-factory/2014-06/msg00178.html
Fedora, Debian, and Ubuntu have CUPS-PDF in their official repositories.
I felt regrettable that openSUSE does not have it.
But, printing systems need root,
and they they work by the demands of the users.
It is dangerous.
We must be carefull.
Because there are security risks,
the opinion that we should put it only in "Printing" repository is true,
and the opinion that we use it at own risk is true too.
The openSUSE's "1 click install" is very handy,
but users have a risk that
they remain subscribed to an unnecessary repository (ex. "Printing")
and they make systems unstable.
If I say exaggeratedly,
I think that all packages have security risks.
This is a problem of the policy about the official repository.
What should the official repository provide?
What should not the official repository provide?
We should not put a dangerous package to the official repository.
Even the official repository is a self-responsibility.
By the way,
how do the others distributions (ex. Debian) think its risk?
1. I should continue that CUPS-PDF in our official repository.
2. I should give up it.
I choose 1, but I am still troubled.
If you have an opinion, please say it.
--
1xx
Hello, On Jun 24 15:36 1xx wrote (excerpt):
The needs to print on a virtual printer exists.
Why? What should "a virtual printer" actually mean for the user? What final user's goal is solved by "a virtual printer"? I mean this questions very seriously, see "Background Information regarding Print as PDF versus Save as PDF" at http://en.opensuse.org/SDB:Printing_to_PDF and in https://features.opensuse.org/312322 (excerpt): ------------------------------------------------------------------ Johannes Meixner wrote: (3 years ago) ... Regarding making a PDF file from applications or from the desktop: ... If this is the acutal reason for this feature request, please file either bug reports or feature requests for the particular applications or desktops which can no longer make PDFs. ... Tim Edwards wrote: (3 years ago) As Johannes Meixner pointed out most apps already have this functionality without requiring going down the hacky route of having a CUPS pdf 'printer' setup. It just looks complicated (and therefore buggy) and exposes the system to all sorts of potential security issues, Opensuse should ship as secure as is reasonable for a desktop system. ------------------------------------------------------------------ For me a printer is a piece of hardware that produces a printout and for me a printout is a piece of printed paper. I only need a printer when my final goal is to have a piece of printed paper. Personally I don't have a use case for "a virtual printer".
But, printing systems need root,
Not in general. Only the cupsd runs as root to do things that need root privileges. Filters and backends (see http://en.opensuse.org/SDB:CUPS_in_a_Nutshell) are usually run by the cupsd as user lp (switch user is one of the things why cupsd needs root privileges), see "man 7 backend": ------------------------------------------------------------------------ PERMISSIONS Backends without world execute permissions are run as the root user. Otherwise, the backend is run using the unprivileged user account, typically "lp". ------------------------------------------------------------------------ Regarding let a CUPS backend write its output into a file in a user's home directory: The user lp is not allowed to write into a user's home directory. The user root has unlimited permissions so that root can do everything but that does notably not mean that root is allowed to do everything. In particular root cannot protect himself from himself (only complicated kernel stuff like AppArmor can be used to cage root): --------------------------------------------------------------------- # id uid=0(root) gid=0(root) groups=0(root) # touch testy # chmod a-rw testy # ls -l testy ---------- 1 root root 0 Jun 24 09:54 testy # echo hello >>testy # ls -l testy ---------- 1 root root 6 Jun 24 09:55 testy # cat testy hello --------------------------------------------------------------------- Therefore unlimited permissions mean that root must be much more careful than a normal user not to do things that should not be done because there is no permission check that could protect root from doing something wrong. I think that root is not allowed to write into a user's home directory. I think only the user himself is allowed to write into his own home directory. Perhaps this way it might be allowed that a CUPS backend writes its output into a file in a user's home directory: When the CUPS backend runs as root it could switch user to the user/owner of a particular home directory and then write into that home directory as its owner. This way at least the user's own permission settings would apply when the CUPS backend writes as the user in his home directory. I am not at all a security expert so that I cannot decide if this way is really sufficiently secure or if it only looks like being secure but actually it isn't (e.g. because usually the user's own permission settings allow everything in his own home directory). Regardless of how it might be finally correctly implemented to write into a file in a user's home directory: I think first and foremost we need to understand and agree what final user's goal is solved by "a virtual printer". Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-06-24 10:53, Johannes Meixner wrote:
Hello,
On Jun 24 15:36 1xx wrote (excerpt):
The needs to print on a virtual printer exists.
Why?
What should "a virtual printer" actually mean for the user?
What final user's goal is solved by "a virtual printer"?
I prefer to print to PDF directly from the application, if possible. However, some applications do not have it, and in this case having a printer that instead creates local postcript or pdf files in a directory is interesting. For instance, I have used this trick to easily capture screenshots from Flash. Another use case is printing in a laptop on the road to a PDF directory; then I copy the PDFs to an usb stick, and take them over to a print shop for a hard copy, because I don't carry my printer on the road.
I mean this questions very seriously,
Well, you see there can be uses :-) As to having a printer to pdf on the desktop, not all desktops have it. For instance, in my XFCE settings dialog, I do see a "printers" module, but it is in fact the KDE print module. And then I could be wanting to print from the CLI, outside of a desktop. Or I could be working remotely on another machine. I could want to print, get the output on a file by default on all apps, and then retrieve those pdf files for actual printing at my real location - not on the default remote paper printer.
Regarding let a CUPS backend write its output into a file in a user's home directory:
The user lp is not allowed to write into a user's home directory.
The user root has unlimited permissions so that root can do everything but that does notably not mean that root is allowed to do everything.
Not on the "gvfsd" directory, which is weird, and makes many old tools bark: Telcontar:~ # lsof pepe lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /var/run/user/1000/gvfs Output information may be incomplete. Telcontar:~ # - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOpcnkACgkQtTMYHG2NR9XG1wCfUFy4mVcVejZY8lVjyJcqGWgG n38An31AA++Jb0xyt3LZFvVN7kS+v1O0 =6XZG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-06-24 14:43, Carlos E. R. wrote:
However, some applications do not have it, and in this case having a printer that instead creates local postcript or pdf files in a directory is interesting.
I forgot to mention: printing all PDFs to a single common directory, owned by some system user (not root) and readable by all, is not in itself always that bad. If I print paper to an office printer, anybody can pick the papers up, if I'm not watching closely. :-} Although it would be better for the files to have the permissions of the user that generated the jobs, be it either at the home directory, or at the spool directory (like mail does). And better if using a different directory per user. An alternative is having the tool email the file to the user: it would automatically get the proper permissions. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlOpdFwACgkQtTMYHG2NR9Vf1wCfe5ft2Sn2b4a6A1GmdioVAI4M qhcAn0YUx/IhXYXLhYs++pJ3yDgTLOjm =325t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 06/24/2014 08:51 AM, Carlos E. R. wrote:
I forgot to mention: printing all PDFs to a single common directory, owned by some system user (not root) and readable by all, is not in itself always that bad.
The way cups-pdf was set up on my system, only the user (and root) can access the directory. Even in business, some printers are not available to all. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, On Jun 24 14:43 Carlos E. R. wrote (excerpt):
creates local postcript or pdf files
Your final goal is to get a PostScript or PDF file. In this case see what I wrote at https://features.opensuse.org/312322 (excerpt): ---------------------------------------------------------------------- Johannes Meixner wrote: (3 years ago) ... Regarding making a PDF file from applications or from the desktop: ... If this is the acutal reason for this feature request, please file either bug reports or feature requests for the particular applications or desktops which can no longer make PDFs. ---------------------------------------------------------------------- For "Background Information regarding Print as PDF versus Save as PDF" see http://en.opensuse.org/SDB:Printing_to_PDF Of course as a workaround you can download, install, and use cups-pdf. We have it in the OBS "Printing" repository for that kind of use case. But my question was meant regarding whether or not cups-pdf should now get "officially blessed" by openSUSE as a right solution how openSUSE users should make PDF files. If openSUSE decides that cups-pdf is a right way to make PDF files it is perfectly o.k. for me ( I am not maintainer of cups-pdf ;-) Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
1. I should continue that CUPS-PDF in our official repository. 2. I should give up it.
I prefer 2 to 1 now.
I will write a detailed opinion later.
Because its request is debatable yet,
I postpone the action.
I am going to decide it in 2014-06-27 (+0900).
Thanks all.
--
1xx
On 2014-06-24 15:16, Johannes Meixner wrote:
Hello,
On Jun 24 14:43 Carlos E. R. wrote (excerpt):
creates local postcript or pdf files
Your final goal is to get a PostScript or PDF file.
In this case see what I wrote at https://features.opensuse.org/312322 (excerpt):
I saw it already :-)
---------------------------------------------------------------------- Johannes Meixner wrote: (3 years ago) ... Regarding making a PDF file from applications or from the desktop: ... If this is the acutal reason for this feature request, please file either bug reports or feature requests for the particular applications or desktops which can no longer make PDFs. ----------------------------------------------------------------------
Good luck requesting that of Flash :-p
Of course as a workaround you can download, install, and use cups-pdf. We have it in the OBS "Printing" repository for that kind of use case.
Exactly.
But my question was meant regarding whether or not cups-pdf should now get "officially blessed" by openSUSE as a right solution how openSUSE users should make PDF files.
Not in the official selection, no. I agree with you there. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Thanks Johannes and all.
2014-06-24 17:53 GMT+09:00 Johannes Meixner
On Jun 24 15:36 1xx wrote (excerpt):
What should "a virtual printer" actually mean for the user? What final user's goal is solved by "a virtual printer"?
I think that there are the users whom they want to output for data except the papers by a procedure same as print.
https://features.opensuse.org/312322 (excerpt): ------------------------------------------------------------------ Johannes Meixner wrote: (3 years ago) ... Regarding making a PDF file from applications or from the desktop: ... If this is the acutal reason for this feature request, please file either bug reports or feature requests for the particular applications or desktops which can no longer make PDFs.
We should usually use the application's feature.
... Tim Edwards wrote: (3 years ago) As Johannes Meixner pointed out most apps already have this functionality without requiring going down the hacky route of having a CUPS pdf 'printer' setup. It just looks complicated (and therefore buggy) and exposes the system to all sorts of potential security issues, Opensuse should ship as secure as is reasonable for a desktop system.
I see. CUPS-PDF is surely tricky.
But, printing systems need root,
Not in general.
Only the cupsd runs as root to do things that need root privileges.
Filters and backends (see http://en.opensuse.org/SDB:CUPS_in_a_Nutshell) are usually run by the cupsd as user lp (switch user is one of the things why cupsd needs root privileges), see "man 7 backend": ------------------------------------------------------------------------ PERMISSIONS Backends without world execute permissions are run as the root user. Otherwise, the backend is run using the unprivileged user account, typically "lp". ------------------------------------------------------------------------
I understand it.
I will revoke the request in 2014-06-27 (+0900).
If you want to argue, please say it soon.
If you need CUOS-PDF after it, you should submit the request with a new logic.
--
1xx
Hello, mainly for further information: On Jun 25 19:19 1xx wrote (excerpt):
2014-06-24 17:53 GMT+09:00 Johannes Meixner
: What should "a virtual printer" actually mean for the user? What final user's goal is solved by "a virtual printer"?
I think that there are the users whom they want to output for data except the papers by a procedure same as print.
Of course experienced users can (mis?)-use the printing system to convert any input data format into any output data format and additionally to deliver the output data to any destination (provided there exist programs that actually implement the data conversion and delivery) because the printing system can be arbitrarily enhanced with any filters and backends, see http://en.opensuse.org/SDB:Using_Your_Own_Filters_to_Print_with_CUPS and http://en.opensuse.org/SDB:Using_Your_Own_Backends_to_Print_with_CUPS This way an experienced user could have print queues for his usual mail receivers and "just print" instead of manually sending mails optionally with conversion of the original data into plain text or he could have a print queue to upload content onto a server with conversion of e.g. plain text input into the server's specific data format (e.g. HTML) or whatever else he may like. Accordingly there can be various enhancement packages for the printing system that implement various kind of such special use cases. I think such special use cases are no misuse of the printing system so that there is nothing wrong with such special enhancement packages but I think such special enhancement packages are neither needed nor really helpful in the "officially blessed" set of openSUSE packages. Another possible workaround how to make a PDF: Since the general move from PostScript to PDF as standard print job data format (see http://en.opensuse.org/Concepts_printing) all applications that can print should be able to produce PDF. When applications produce PDF as print job data but provide no "Export/Save as PDF" functionality, as workaround one may have any print queue where printing is disabled so that the application's PDF print job data is kept as print job data file /var/spool/cups/d<job-number>-<file-number> but by default only root and lp can access it - just a litte selfmande backend as workaround on top of the workaround... Note that even when applications produce PDF as print job data, there is still a distinction between "Print" and "Export/Save as PDF", see http://en.opensuse.org/SDB:Landscape_Printing#Again_there_is_a_subtle_distin... Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-25 19:19 GMT+09:00 1xx
I will revoke the request in 2014-06-27 (+0900).
I revoked it. https://build.opensuse.org/request/show/238121 Thanks all.
If you need CUOS-PDF after it, you should submit the request with a new logic.
--
1xx
Hello, On Jun 20 09:15 Ludwig Nussel wrote):
1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Uh, it runs as root and writes into directories owned by some user? Better ask security to take a look.
FYI see http://en.opensuse.org/SDB:Printing_to_PDF In the past cups-pdf was always rejected to be provided "out of the box" in an official release to all our users because its security issues have not been solved. If we would make it by default sufficiently secure so that arbitrary users can "just install" it on arbitrary systems, it would be useless. Of course users who know what they do can download, install, and use it. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 20 Jun 2014 14:26:04 +0900 1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
When you want to make PDF files, we can get them easily by specifying printer to CUPS-PDF. Moreover, CUPS-PDF is useful for trouble shooting, when we have troubles on real printing.
Hello. Please, try a "boomaga" package. It is maintained in Factory. Размер установки:551,5 KiB Резюме:Virtual Printer for Viewing a Document before Printing Описание: Boomaga (BOOklet MAnager) is a virtual printer for viewing a document before printing it out using the physical printer. The program is very simple to work with. Running any program, click "print" and select "Boomaga" to see in several seconds (CUPS takes some time to respond) the Boomaga window open. If you print out one more document, it gets added to the previous one, and you can also print them out as one. Regardless of whether your printer supports duplex printing or not, you would be able to easily print on both sides of the sheet. I think, "Boomaga" is more advanced than CUPS-PDF. -- WBR Kyrill
2014-06-21 3:21 GMT+09:00 Kyrill Detinov
On Fri, 20 Jun 2014 14:26:04 +0900 1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
Please, try a "boomaga" package. It is maintained in Factory.
Размер установки:551,5 KiB Резюме:Virtual Printer for Viewing a Document before Printing Описание: Boomaga (BOOklet MAnager) is a virtual printer for viewing a document before printing it out using the physical printer. The program is very simple to work with. Running any program, click "print" and select "Boomaga" to see in several seconds (CUPS takes some time to respond) the Boomaga window open. If you print out one more document, it gets added to the previous one, and you can also print them out as one. Regardless of whether your printer supports duplex printing or not, you would be able to easily print on both sides of the sheet.
I think, "Boomaga" is more advanced than CUPS-PDF.
I installed boomaga to openSUSE 13.1.
From LibreOffice, I printed to Boomaga printer. But I can not get Boomaga Window nor fies.
I changed X's ACL, but can not get them yet.
xhost +x
tail /var/log/cups/access_log ocalhost - - [21/Jun/2014:04:21:37 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 206 Create-Job successful-ok localhost - - [21/Jun/2014:04:21:37 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 4054 Send-Document successful-ok localhost - - [21/Jun/2014:04:22:51 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 221 Create-Job successful-ok localhost - - [21/Jun/2014:04:22:51 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 4054 Send-Document successful-ok localhost - - [21/Jun/2014:04:35:42 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 221 Create-Job successful-ok localhost - - [21/Jun/2014:04:35:42 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 4054 Send-Document successful-ok localhost - - [21/Jun/2014:04:59:15 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 221 Create-Job successful-ok localhost - - [21/Jun/2014:04:59:15 +0900] "POST /printers/boomagaprinter HTTP/1.1" 200 4054 Send-Document successful-ok
Would you teach usage?
--
1xx
Hi, 1xx wrote:
I think, "Boomaga" is more advanced than CUPS-PDF.
I installed boomaga to openSUSE 13.1.
From LibreOffice, I printed to Boomaga printer. But I can not get Boomaga Window nor fies.
I installed boomaga package from Printing/openSUSE_13.1 (not Factory) repository via 1-Click install and it just worked fine. $ rpm -qa | grep boomaga boomaga-0.5.0-4.1.x86_64 boomaga-lang-0.5.0-4.1.noarch Which package and how have you installed? -- _/_/ Satoru Matsumoto - openSUSE Member - Japan _/_/ _/_/ Marketing/Weekly News/openFATE Screening Team _/_/ _/_/ mail: helios_reds_at_gmx.net / irc: HeliosReds _/_/ _/_/ http://blog.zaq.ne.jp/opensuse/ _/_/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2014-06-21 10:19 GMT+09:00 Satoru Matsumoto
1xx wrote:
I installed boomaga to openSUSE 13.1.
From LibreOffice, I printed to Boomaga printer.
But I can not get Boomaga Window nor fies.
I installed boomaga package from Printing/openSUSE_13.1 (not Factory) repository via 1-Click install and it just worked fine.
$ rpm -qa | grep boomaga boomaga-0.5.0-4.1.x86_64 boomaga-lang-0.5.0-4.1.noarch
Which package and how have you installed?
I installed openSUSE13.1's Printing/boomaga from http://software.opensuse.org/package/boomaga?search_term=boomaga too.
rpm -qa | egrep boomaga boomaga-lang-0.5.0-4.1.noarch boomaga-0.5.0-4.1.x86_64
I removed them.
sudo zypper rm boomaga-lang boomaga And I reinstalled them. sudo zypper install boomaga-lang boomaga
I selected "printing" on Firefox.
Now, I found the printer of "Boomaga"!
I printed to it, then I could see Boomaga Window.
By installation before one,
I could not find the printer of "Boomaga",
then I started YaST, and added "boomagaprinter".
Thanks!
--
1xx
Kyrill Detinov wrote:
On Fri, 20 Jun 2014 14:26:04 +0900 1xx wrote:
I want the "cups-pdf" to go into official repository.
CUPS-PDF is a PDF writer backend for CUPS. Official site: http://www.cups-pdf.de/
When you want to make PDF files, we can get them easily by specifying printer to CUPS-PDF. Moreover, CUPS-PDF is useful for trouble shooting, when we have troubles on real printing.
Hello.
Please, try a "boomaga" package. It is maintained in Factory.
This one? Does this code run as root? https://github.com/Boomaga/boomaga/blob/master/cups/boomaga From a quick glance I'd say that code is really horrible. It tries to guess the user's session bus address to connect to it. That alone is backwards. Then the (shell!) code also truncates and changes ownership on files in the user's home without any security checks. This and the wrong /tmp file handling could corrupt any file in the system. The author doesn't seem to be familiar some basic secure programming rules. My advise would be to stay away from this code. It shouldn't be in Factory either. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (11)
-
1xx
-
Carlos E. R.
-
Carlos E. R.
-
Christian Boltz
-
James Knott
-
Johannes Meixner
-
John Layt
-
Kyrill Detinov
-
Ludwig Nussel
-
Satoru Matsumoto
-
Yamaban