Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Let's keep acroread for pure reasons of usability.
  • From: "Carlos E. R." <carlos.e.r@xxxxxxxxxxxx>
  • Date: Thu, 7 Nov 2013 20:24:39 +0100 (CET)
  • Message-id: <alpine.LNX.2.00.1311071957020.19793@Telcontar.valinor>
Hash: SHA1

On Thursday, 2013-11-07 at 11:44 -0200, Luiz Fernando Ranghetti wrote:

Of course Carlos case is a valid case and indeed he needs acroread, but is
a corner case.

All utility here (electricity, gas, water, telephone, etc) send their receipts via paper, but all of them push for the clients to switch to "electronic receipts", which mean PDF, and usually those PDFs are signed. Unless signed electronically they don't have legal value; with the signature, they are valid.

Only acroread supports signature verification. I have tried the same receipt on okular and evince, and they don't even say there is a signature.

(interestingly, the receipt was generated not by adobe software,
but by 3-Heights(TM) PDF Producer)

The other feature is PDF XFA form filling. None of the available open source programs fully support forms. You need acroread to at least compare and see if the alternatives are good enough or not, per case. These forms may contain javascript code.

(interestingly, one of the samples posted here was produced by AFPL
Ghostscript 8.53, not adobe)

Those are two cases that require adobe software, and they affect many users. In Windows I understand there are alternatives, but not in Linux. Acroread in Wine does not work, except version 8 (according to wine docs), and that is as bad as directly using Linux version number 8 or 9. Many Linux users have also Windows machines, but I try to avoid booting to Windows as much as I can.

It can be argued that there may be other methods to generate such forms and signed document with open means. Perhaps. However, those organizations, many of them, have chosen PDF, even if they don't use adobe software to generate them. Surely they have explored the market to find out what is available, thus also surely PDF is the best out there.

Previously I thought that Adobe had sold their product very well, but finding out that the PDFs are often generated by alternate software, that is no longer the explanation.

So, what exactly are the security risks I get into by opening local PDF files (generated by reputable sources, such as governments) with acroread in Linux? Can they be avoided or limited with a good AppArmor profile?

If the danger is in the Firefox plugin, for instance, that can be removed with less trouble.

- -- Cheers,
Carlos E. R.
(from 12.3 x86_64 "Dartmouth" at Telcontar)
Version: GnuPG v2.0.19 (GNU/Linux)

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread