| | <<<Back 1 day (to 2017/01/30) | 20170131 |
| refactorMirror | anyone online? | 12:58.11 |
| Robin_Watts | refactorMirror: Nope. No one at all. | 13:00.46 |
| refactorMirror | seems so | 13:01.02 |
| Robin_Watts | If you have a question, ask it, don't ask to ask it :) | 13:01.15 |
| refactorMirror | I'm looking for someone who can tell me something about mupdf | 13:01.20 |
| Robin_Watts | Go for it. | 13:01.31 |
| refactorMirror | I use use mupdf in my Andorid App | 13:01.42 |
| Robin_Watts | which android app is this? | 13:02.01 |
| refactorMirror | it has no impact on my question | 13:02.24 |
| | I'm looking at the CVE tickets for mupdf, to make sure I'm up to date with mupdf security | 13:02.56 |
| | as security is important to my App | 13:03.11 |
| Robin_Watts | it has an impact on how much I am prepared to help you though :) | 13:03.32 |
| refactorMirror | And it looks like CVE-2016-6525 was fixed around sep 2016 | 13:03.46 |
| | and the latest official Android build of MuPdf is from apr 2016 | 13:04.24 |
| | if it is that important: | 13:04.39 |
| | https://play.google.com/store/apps/details?id=com.nuro&hl=en | 13:04.53 |
| | so - the question is: any plans to update the official Android MuPdf build? | 13:05.38 |
| Robin_Watts | Ok. I see no reference to that being released under the GNU AGPL. | 13:05.52 |
| | MuPDF is released under 2 licenses. | 13:06.31 |
| refactorMirror | That is true - MuPdf is used as a support library | 13:06.52 |
| | my app does not change the code - it only uses the MuPdf as a lib to render the PDFs | 13:07.17 |
| Robin_Watts | Firstly, it's released for free under the GNU AGPL. If you follow all the terms of the GNU AGPL then you can use it for free (with no support or warranty). | 13:07.22 |
| | refactorMirror: That doesn't matter. Under the terms of the GNU AGPL any code that links with MuPDF, such as your app, must ALSO be released under the GNU AGPL. | 13:07.57 |
| kens | Or seek a commercial license :-) | 13:08.10 |
| refactorMirror | That makes a lot of sense | 13:08.41 |
| Robin_Watts | Indeed. If you can't accept and abide by all the terms of the GNU AGPL, then you can alternatively use the Artifex Commercial Licensed version. | 13:08.42 |
| | This costs money, but frees you from the strictures of the GNU AGPL. | 13:08.59 |
| kens | And you get support, which can easily include building a new Android library.... | 13:09.16 |
| Robin_Watts | If you can't abide by the terms of the GNU AGPL, and you won't get a commercial license, then you cannot use MuPDF on paid of being sued. | 13:09.21 |
| refactorMirror | Aha | 13:09.35 |
| Robin_Watts | So, it seems you have 3 choices. | 13:10.01 |
| refactorMirror | so - you are telling me, that fixing security issues is dependent on licencing? | 13:10.06 |
| kens | Nobody said that | 13:10.17 |
| Robin_Watts | 1) Come into conformance with the GNU AGPL - this means (among other things) releasing the source to your entire app. | 13:10.34 |
| | 2) Get a commercial license. Talk to sales@artifex.com | 13:10.49 |
| | or 3) Remove your app from the app store and stop selling it. | 13:11.02 |
| refactorMirror | alrighty | 13:11.18 |
| Robin_Watts | refactorMirror: We fix security issues. Indeed, it's probable that it's already fixed. | 13:11.38 |
| kens | refactorMirror: from your own thread, the issue is already fixed, we simply have not as yet released a library for *android* containing that fix. If a commercial customer were to request a lirary build we would, obviously, do it for them. Free users get no warranty and no support. Thoguh we do welcome bug reports | 13:11.44 |
| Robin_Watts | refactorMirror: We will however not go out of our way to help someone who is illegally using our software (as you currently appear to be). Sorry. | 13:12.21 |
| refactorMirror | that makes sense | 13:12.36 |
| | I was not going to ask you to actually do anything - just to ask if the fix was already done to the Android code base | 13:13.15 |
| Robin_Watts | If you give me your email address, I'll introduce you to Scott and you can start talking. | 13:13.18 |
| refactorMirror | use the support mail from the play store page | 13:13.53 |
| | The more interesting issue here, is how many Andorid apps are using MuPdf as a component | 13:14.31 |
| Robin_Watts | refactorMirror: Do you have a name I can pass to Scott rather than just a handle? | 13:14.44 |
| | many, and we are tracking them down as fast as we can. | 13:14.56 |
| | The license terms for MuPDF are very clear. | 13:15.08 |
| refactorMirror | and if they can be attacked using the heap overflows mentioned in the CVE | 13:15.23 |
| | I prefer to remain anonymous on an open IRC channel | 13:16.19 |
| | Though the licence issue should be fixed ASAP | 13:16.40 |
| Robin_Watts | refactorMirror: Feel free to PM me it. | 13:16.54 |
| refactorMirror | you might want to contact VirusTotal, or someone who collects a large amount of Android apps, and ask to scan for your Library | 13:18.12 |
| | AV vendors, and security researchers in the Android space might be able to help you there | 13:18.48 |
| Robin_Watts | we've considered such a thing before, but haven't found one. I will look into VirusTotal, thanks. | 13:19.13 |
| refactorMirror | also - there are sites that collect Apk files from the Play store, you can use that to search for more apps | 13:21.54 |
| | Thanks for the answers | 13:22.12 |
| | later folks | 13:22.15 |
| Robin_Watts | cu. Do talk to Scott... | 13:22.54 |
| | And that email address bounces. Great. | 14:25.45 |
| kens | Ah, truly professional.... | 14:26.09 |
| | I'd be inclined to refer them to Scott and Miles for a takedown personally | 14:26.28 |
| Robin_Watts | yeah. I've sent an email to another address, we'll see if I get a reply. | 14:38.45 |
| kens | Well worth trying since you have a second one | 14:38.58 |
| Robin_Watts | muraster on the desktop peaks out at 4.5 Meg and isn't leaking for that file... | 14:41.30 |
| kens | wrong channel ? | 14:41.49 |
| Robin_Watts | oops. yes. | 14:42.47 |
| | Forward 1 day (to 2017/02/01)>>> | |
Log of #ghostscript at irc.freenode.net.