| <<<Back 1 day (to 2017/01/30) | 20170131 |
refactorMirror | anyone online? | 12:58.11 |
Robin_Watts | refactorMirror: Nope. No one at all. | 13:00.46 |
refactorMirror | seems so | 13:01.02 |
Robin_Watts | If you have a question, ask it, don't ask to ask it :) | 13:01.15 |
refactorMirror | I'm looking for someone who can tell me something about mupdf | 13:01.20 |
Robin_Watts | Go for it. | 13:01.31 |
refactorMirror | I use use mupdf in my Andorid App | 13:01.42 |
Robin_Watts | which android app is this? | 13:02.01 |
refactorMirror | it has no impact on my question | 13:02.24 |
| I'm looking at the CVE tickets for mupdf, to make sure I'm up to date with mupdf security | 13:02.56 |
| as security is important to my App | 13:03.11 |
Robin_Watts | it has an impact on how much I am prepared to help you though :) | 13:03.32 |
refactorMirror | And it looks like CVE-2016-6525 was fixed around sep 2016 | 13:03.46 |
| and the latest official Android build of MuPdf is from apr 2016 | 13:04.24 |
| if it is that important: | 13:04.39 |
| https://play.google.com/store/apps/details?id=com.nuro&hl=en | 13:04.53 |
| so - the question is: any plans to update the official Android MuPdf build? | 13:05.38 |
Robin_Watts | Ok. I see no reference to that being released under the GNU AGPL. | 13:05.52 |
| MuPDF is released under 2 licenses. | 13:06.31 |
refactorMirror | That is true - MuPdf is used as a support library | 13:06.52 |
| my app does not change the code - it only uses the MuPdf as a lib to render the PDFs | 13:07.17 |
Robin_Watts | Firstly, it's released for free under the GNU AGPL. If you follow all the terms of the GNU AGPL then you can use it for free (with no support or warranty). | 13:07.22 |
| refactorMirror: That doesn't matter. Under the terms of the GNU AGPL any code that links with MuPDF, such as your app, must ALSO be released under the GNU AGPL. | 13:07.57 |
kens | Or seek a commercial license :-) | 13:08.10 |
refactorMirror | That makes a lot of sense | 13:08.41 |
Robin_Watts | Indeed. If you can't accept and abide by all the terms of the GNU AGPL, then you can alternatively use the Artifex Commercial Licensed version. | 13:08.42 |
| This costs money, but frees you from the strictures of the GNU AGPL. | 13:08.59 |
kens | And you get support, which can easily include building a new Android library.... | 13:09.16 |
Robin_Watts | If you can't abide by the terms of the GNU AGPL, and you won't get a commercial license, then you cannot use MuPDF on paid of being sued. | 13:09.21 |
refactorMirror | Aha | 13:09.35 |
Robin_Watts | So, it seems you have 3 choices. | 13:10.01 |
refactorMirror | so - you are telling me, that fixing security issues is dependent on licencing? | 13:10.06 |
kens | Nobody said that | 13:10.17 |
Robin_Watts | 1) Come into conformance with the GNU AGPL - this means (among other things) releasing the source to your entire app. | 13:10.34 |
| 2) Get a commercial license. Talk to sales@artifex.com | 13:10.49 |
| or 3) Remove your app from the app store and stop selling it. | 13:11.02 |
refactorMirror | alrighty | 13:11.18 |
Robin_Watts | refactorMirror: We fix security issues. Indeed, it's probable that it's already fixed. | 13:11.38 |
kens | refactorMirror: from your own thread, the issue is already fixed, we simply have not as yet released a library for *android* containing that fix. If a commercial customer were to request a lirary build we would, obviously, do it for them. Free users get no warranty and no support. Thoguh we do welcome bug reports | 13:11.44 |
Robin_Watts | refactorMirror: We will however not go out of our way to help someone who is illegally using our software (as you currently appear to be). Sorry. | 13:12.21 |
refactorMirror | that makes sense | 13:12.36 |
| I was not going to ask you to actually do anything - just to ask if the fix was already done to the Android code base | 13:13.15 |
Robin_Watts | If you give me your email address, I'll introduce you to Scott and you can start talking. | 13:13.18 |
refactorMirror | use the support mail from the play store page | 13:13.53 |
| The more interesting issue here, is how many Andorid apps are using MuPdf as a component | 13:14.31 |
Robin_Watts | refactorMirror: Do you have a name I can pass to Scott rather than just a handle? | 13:14.44 |
| many, and we are tracking them down as fast as we can. | 13:14.56 |
| The license terms for MuPDF are very clear. | 13:15.08 |
refactorMirror | and if they can be attacked using the heap overflows mentioned in the CVE | 13:15.23 |
| I prefer to remain anonymous on an open IRC channel | 13:16.19 |
| Though the licence issue should be fixed ASAP | 13:16.40 |
Robin_Watts | refactorMirror: Feel free to PM me it. | 13:16.54 |
refactorMirror | you might want to contact VirusTotal, or someone who collects a large amount of Android apps, and ask to scan for your Library | 13:18.12 |
| AV vendors, and security researchers in the Android space might be able to help you there | 13:18.48 |
Robin_Watts | we've considered such a thing before, but haven't found one. I will look into VirusTotal, thanks. | 13:19.13 |
refactorMirror | also - there are sites that collect Apk files from the Play store, you can use that to search for more apps | 13:21.54 |
| Thanks for the answers | 13:22.12 |
| later folks | 13:22.15 |
Robin_Watts | cu. Do talk to Scott... | 13:22.54 |
| And that email address bounces. Great. | 14:25.45 |
kens | Ah, truly professional.... | 14:26.09 |
| I'd be inclined to refer them to Scott and Miles for a takedown personally | 14:26.28 |
Robin_Watts | yeah. I've sent an email to another address, we'll see if I get a reply. | 14:38.45 |
kens | Well worth trying since you have a second one | 14:38.58 |
Robin_Watts | muraster on the desktop peaks out at 4.5 Meg and isn't leaking for that file... | 14:41.30 |
kens | wrong channel ? | 14:41.49 |
Robin_Watts | oops. yes. | 14:42.47 |
| Forward 1 day (to 2017/02/01)>>> | |