[tex-live] TeXLive2007: Bug in (Xe)TeX for 64bit and big endianess

Dr. Werner Fink werner at suse.de
Wed May 9 13:20:20 CEST 2007

On Wed, May 09, 2007 at 08:00:03AM -0300, George N. White III wrote:
> On 5/9/07, Hans Hagen <pragma at wxs.nl> wrote:
> >Dr. Werner Fink wrote:
> >> Updates within an old distribution are nogoes for distributors. This
> >> because you can not destroy certifications and tested states of an
> >> existing product by getting unkown side effects with new binaries
> >> in an existing package.  The way to go is to fix the security issue
> >> and provide an update with a binary patch on the existing package.
> >> Our QA would never accept a full update to an new version of texlive
> >> on an old product line without a real BETA testing session.
> >>
> >sure, but i'm not talking of a massive update, just the self contained
> >pdftex binary, which is one file
> >
> >normally pdftex is downward compatible (esp when kpse in linked in as
> >well) so if should work with older distributions
> While this might be true for pdftex, it isn't going to convince distributors
> to change their policies.  Distributors don't distinguish between programs
> where bugs are generally easy to spot (badly formatted document) and
> those where bugs are harder to spot and could have serious consequences.

Beside this the policy here states that all programs and libraries have
to be build within the product its self (compiler, glibc, kernel headers,
binutils, runtime linker, and all other packages).  This ensures that
all interfaces and the full environment will fit the product for which
the security patch is done.  Otherwise you may stumble on e.g. the
runtime linker or the changed interface of the glibc or the changed
file system paths or whatever is changed in the mean time.

> Testing a security patch on a library has to be done anyway, and is usually
> a relatively simple, self-contained, task.  [Not always -- the recent
> addition of
> sanity checks to libX11 revealed bugs in code that has been used for
> some very critical tasks including medical imaging and weather prediction
> for over a decade.]
> Testing an application is open-ended.   If there is a problem after a
> library is
> patched, debugging is easier because you know exactly what changed.

FullACK ... sometimes it is a nightmare.


  "Having a smoking section in a restaurant is like having
          a peeing section in a swimming pool." -- Edward Burr

More information about the tex-live mailing list