Hello, I would also like to express my vote to keep Adobe Reader available in an openSUSE customized version! Maybe not in NON-OSS repo, but possibly in packman? Reasons: 1) Official Adobe RPM (suggested as a workaround) does not work flawlessly on openSUSE. The openSUSE RPM has specific modifications to work around problems of Adobe Reader in openSUSE (eg. suse-do-not-grab-server.so and many others). Hence the official RPM is not equivalent for users. 2) Much bigger point not mentioned before: PRINTING!! I need to print US/letter page PDFs on A4 frequently, as well as PDF presentations created by pdflatex. Non of the opensource PDF alternatives (on KDE) provide *all* of these printing features: - booklets (kde#186732, kde#248673) - subset of pages, i.e. 1,3-5,9,11-16 - scale to fit printer margins (fixed in kde 4.12?) (kde#192189) - multiple pages per sheet (in custom/different orders/orientations). All of these printing limitations originally come from the KDE4, which does simply not consider printing as important (kde#77624 unmaintained)! Fancy GUI animations and so on are way more important... Asking people to wait for KDE to catch up in terms of printing is an insult, really. It could easily take another decade! The whole printing area seems to (or was for a long time) unmaintained. Acrobat in contrast had its own printing dialog, where most of these things are available in a simple GUI. So, how about providing openSUSE customized Acrobat RPM on packman repos? On 11/07/2013 05:20 PM, Christian Boltz wrote:
Hello,
Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:
So, what exactly are the security risks I get into by opening local PDF files (generated by reputable sources, such as governments) with acroread in Linux? Can they be avoided or limited with a good AppArmor profile?
I don't know about the exact security risks - maybe someone from the security team knows more details.
With an AppArmor profile, you can make sure that acroread only reads *.pdf files and doesn't read or modify random files on your disk. You can also forbid networking - but this doesn't sound too useful when you need to submit a form online ;-)
Anyway, I'll attach my AppArmor profile for acroread. It's not as tight as it could be (and I'll probably do some changes to it now that I know acroread won't get security updates anymore), but it's a good start. Be warned that you will need to change it - for example I'm quite sure your home directory is not /home/cb/ ;-)
Note: the profile only covers the binary, not the wrapper script.
If the danger is in the Firefox plugin, for instance, that can be removed with less trouble.
Indeed, just zypper rm acroread-browser-plugin
I'd strongly recommend to do that (guess who split off this subpackage, and why... ;-)
Regards,
Christian Boltz