I think poppler is a library, not an application. Anyway, it's one of the two PDF backends for Zathura (the other being MuPDF) so it's at least included indirectly.
I liked xpdf, but stopped using it after my package manager said it had unpatched CVEs (and at least implied unmaintained). Any chance it's been cleaned up now? I see a recent release but couldn't find a change log.
For something like PDF, I wonder how practical it would be to write a program that just strips out “dangerous” features. Maybe this wouldn’t help with buffer overflows and similar, but it might be useful.
Maybe just roundtripping your pdf through djvu or postscript would be sufficient?
Because the likelihood that I get a PDF designed to exploit a bug in XPDF (or other image viewer) after being converted to PS and back by Ghostscript is relatively low (e.g. this would seem to indicate that I'm being targetted personally, or I have a common setup)? But, in general, I'm not saying "use ghostscript", I'm saying "perhaps roundtripping incoming PDFs through some other file format will produce a PDF that is safer to view than viewing untrusted PDFs directly"
> I liked xpdf, but stopped using it after my package manager said it had unpatched CVEs (and at least implied unmaintained). Any chance it's been cleaned up now?
Seems like 3.04 & 4.03 (latest) as for now has no CVEs.[0,1]
> I see a recent release but couldn't find a change log.
Just grab a latest source release tarball[1], extract files & read `CHANGES` (changelog text file).
That's now either part of poppler-utils or also provided through poppler-utils. On my Debian box, the manpage still references Xpdf, though pdftotext is provided by poppler-utils.
Xpdf was nice, but at some point they switched (or the project was forked without getting a new name, not sure) to Qt from Motif and basically lost all appeal for me - the main reason i installed it was exactly because of the lightweight GUI.
PDF.js is a nightmare. Horribly slow to load large documents, slow to scroll or search, and utterly fails in the bigges thing PDF has going for it... PDF.js often doesn't display or print out the PDF like the original (cutting off parts, failing to rotate properly, etc).
You might as well say Notepad or VI "just work" as HTML viewers.
It renders to canvas to draw the pdf so all it has is a bitmap, hence the bitmap printing. To get decent quality with bitmap printing you have to do really high res which eats memory and is slow.
They were working on an SVG renderer to support proper vector printing still don’t think its done. They should have used SVG to begin with.
I actually like the idea of pdf.js, having a pure browser based pdf viewer is a good thing, really needs good vector print support though to be serious.
The browser has no way to send anything directly to the printer through javascript and probably not the best idea to let it either from a security perspective, especially PDF's.
It's up to the browser to render the page to the printer, if it contains canvases they are sent as bitmaps, since thats what they are.
HTML elements and SVG are generally rendered as vector commands to the printer which might end up being postscript or pdf. So svg's are much lighter going to printer then high dpi canvases. They also looks much better too since the printer renders them to the final raster at native res say 600 dpi.
Other browsers use a native PDF renders that can do whatever it wants, not sure what PDFium does in Chrome/Edge maybe it just sends the PDF if it can determine the printer supports it, otherwise it does native print commands for sure, it does not send bitmaps.
The nice thing about pdf.js is it runs on platforms that have no pdf viewer built in but have a web browser or maybe a buggy built in one. You can also style and control it yourself and add features to it for your app making for tighter embedding. Also it can be updated independently of browser.
I always thought Apple's slogan was hilarious because I basically interpreted it with emphasis on the "just". It just works. Like, only barely passes the bar for what could be considered working, only just.
The built-in chrome PDF viewer PPAPI plugin is generally pretty decent and is at least sandboxed on most platforms. It handles larger documents a bit better than PDF.js.
Xpdf has a history of enforcing purely software DRM on PDFs for no logical reason, such as the disabling of copying text and printing from documents. The upstream was against OS distributions patching this silly DRM out. I don't know if the upstream ever changed their policy on this, but there are better PDF readers out there now.
Here's a very long, and entertaining thread about it on the OpenBSD mailing lists from 2008.
He seems to confuse the idea with a legal duty and a moral one as well as failing to understand where his own responsibility lies in the grand scheme of things.
Even if there existed a highly questionable moral duty not to say copy and paste a quote from a document its hard to understand ethically why he imagines that he owes the author the duty to enforce this personally convincing others not to patch such a "feature" out.
I disagree with the choices the author of XPDF made. I would have made different ones.
Neither of us fully understands his mental state, or why he made those choices. So let's focus our criticism on the choices themselves, rather than outright dehumanizing another person for making a technical decision.
There are many legitimate reason for one to need to be able to print or copy text from a document. Enforcing an entirely optional "security mechanism" when there is no technical reason to at the expense of the users of the software makes no sense at all, especially if the only argument is to respect the authors implied arbitrary wishes.
This is just my opinion, but I think that the software I use should empower me, the user: I don't think my software should force me to "respect the requests of the publisher", and I especially think it shouldn't restrict basic functionality like the clipboard in pursuit of that goal.
Should it empower you to bypass the terms under which content you're accessing were shared? Have you considered that maybe that's disempowering other people using the same tool?
Edit: as far as I can tell the groupthink has gone beyond “everyone should use a free license for everything” to “I have a free license to everything damn the actual license”.
Restricting plain text copying on compliant readers isn't really preventing anything though. It's akin to unskippable copy warnings on DVDs, the only thing it does is inconvenience those using it legitimately.
> Should it empower you to bypass the terms under which content you're accessing were shared?
I think it's disingenuous to frame it as a "bypass". The publisher is setting out a terms of use, and I think it's bad that the software try to force that I abide by such terms, because:
• the software will be too conservative: there are many situations where it is legal (and even ethical) to ignore such terms, but the software will not recognize them.
• there will be alternative software which does not enforce such terms, making it worthless as an actual protection measure.
• like I said, I think my machine and the software runs on it ought to represent me and my interests. I would certainly hesitate before installing software that put others' interests above my own, no matter how well-intentioned.
> Have you considered that maybe that's disempowering other people using the same tool?
No, but I'd be more open to the thought if you'd provide a compelling example.
> > Should it empower you to bypass the terms under which content you're accessing were shared?
> I think it's disingenuous to frame it as a "bypass". The publisher is setting out a terms of use, and I think it's bad that the software try to force that I abide by such terms
You coulda just said “yeah”.
Edit:
> No, but I'd be more open to the thought if you'd provide a compelling example.
I did but I’ll make it more clear: I licensed my content to you, with the expectation you would honor my license. If you use the technology I distribute my licensed content to you to violate that license you’re undermining my ability to determine the terms under which I distribute my content.
Because it hard for a single author or organization to enforce across millions of humans.
It's like locks on doors. Yea, B&E is illegal and the lock helps as a forcing function/indicator. Easier to lock a door than chase 100s of thieves.
DRM is like that for a publisher, and digital theft is loads easier than physical theft, otherwise publishers are really set back for getting compensated for their works (see author above).
I get you don't like DRM but should software be a tool for stealing others works?
Note: I loathe DRM but when I pay for content/books, I respect the game.
> But then I'd be tacitly agreeing that it's a "bypass", when there's nothing to "bypass" in the first place.
If the terms of the distributed content are “I don’t want you to copy this” and the technology has the ability to disable copying it (however flawed or limited), and your expectation is that the software disregard that express wish for distribution... you are asking the software to facilitate you in disregarding the express wish of the creator. How is that long winded way of saying it not “bypass”?
The creator might not want me to copy it, but I have a legal fair-use right to copy parts of it under certain circumstances. I'm not "bypassing" the license, I'm exercising my legal rights.
> Isn't this exactly what IP law is for? Why do you need PDF readers of all things to also enforce your terms?
Yeah IP law is for enforcing IP in court. But your position is you should be entitled to use any content and software in any way you want without any mechanisms attempting to reinforce the contract outside of a court. Essentially you’re saying “if an author explicitly says I’m allowed to use their content but not this way, anyone but the law trying to ensure I comply with the contract I agreed to is wrong”.
If I made some work that said you were free to do anything with it other than defecate on it, and you agree to it, there’s nothing inherently wrong with me trying to take measures besides a lawsuit to try to prevent you from that.
> I did but I’ll make it more clear: I licensed my content to you, with the expectation you would honor my license. If you use the technology I distribute my licensed content to you to violate that license you’re undermining my ability to determine the terms under which I distribute my content.
Your licenses have legal limits, including fair use.
Too many authors seem to believe that once they have created something, they should have total control over all copies of it made in perpetuity. That's not how it works even today (and today is closer to that "ideal" than just about any other point in history).
If I buy a physical book there are all sorts of things I can do with it. I can cut out the pages and use it in an arts-and-crafts project. I can even burn it should I wish. Many authors are horrified at some of the ways their books can and have been used, but they cannot legally limit these things.
PDFs are not physical books, and any analogy between the two will eventually break down, but I do not consider printing or copy-pasting from a document to be "bypassing the terms under which the content [I'm] accessing were shared" when many possible uses of these are 100% legal, just like photocopying a few pages from a book at the library for a school research project is 100% legal.
What evidence does the software have that you agreed or continue to agree to the terms encoded into the piece of content? If you intend to not copy text from a file, for instance, you are certainly free and empowered to not do that.
You agreed by accepting the distribution that expressly forbade it. The software knows you agreed by you accessing content that instructed the same software to prevent you from copying it to the best of its ability.
Since this is the top comment currently, I will respond here. At one point in time I had a rather popular ML/AI textbook I offered in PDF format with some restrictions. I, at the time, thought most users would be reasonable and respect those restrictions. Unfortunately you as many others decided to no respect those restrictions. I cannot say it is due to that but my book was one of the more popular epubs/azw's on a few torrent trackers in the mid-to-early 2000's. I love that people are able to access these things, but it would be great if people who could, would donate money to pay for the production of these materials. Overall I got $1502.56 for my publishing a 1086 page text book which took about 2.6 years of my life. Obviously this is my throwaway account so try not to link this back to the actual book.
I got a royalty advance, which I am not allowed to disclose(pdf sales were part of that, so not in addition to), but overall, it was way under minimum wage for the work done.
I appreciate the work you did and I hope it enriched your life in some meaningful way. I had family support for 1 year of undergraduate, and 4 years without that support. If I could find an english language foreign market edition of a textbook, usually printed on darn near see through paper, i’d get that. Otherwise I’d be on the hunt for a free pdf. As I was struggling to survive, I didn’t feel bad about it. I feel bad that you took the risk, created something beautiful, and felt shortchanged. On the other hand, I’m not willing to tell an undergraduate who can’t afford a $100-$200+ textbook to not do the thing which is in their best interest.
I use xpdf on my camping laptop. I like it’s minimalist interface and have gone through quite a number of programming books with it. That being said, it’s certainly not the best pdf viewer, but it gets the job done and is lightweight.
I would suggest Zathura. It is minimal fast themeable, has configurable bindings and vim like bindings out of the box. It has marks and a binding to jump to marks that is similar in nature to vim marks and remembers your place in documents.
With the mupdf backend it also supports epub save for an bug in how it treats the table of contents which presently afflicts 0.4.7 which has already been fixed which will presumably be fixed in 0.4.8.
Another reason to use it is seccomp mode. Zathura puts itself in a seccomp jail before reading the input document. Inside the jail all it can do is read from the input file and read/write to the display (in my case, Wayland socket -- on X11 this isn't quite as effective).
Just wish it had nonrectangular (i.e. paragraph-flow) select-and-copy, but I know PDF makes that as difficult as possible. Works great on touchscreens except that the pinch gesture is misinterpreted as select instead of zoom.
Tip: press tab while viewing a document to see the outline (which you can navigate with vi keystrokes!). Took me a while to discover that.
73 comments
[ 4.5 ms ] story [ 133 ms ] threadMaybe just roundtripping your pdf through djvu or postscript would be sufficient?
Ghostscript is written in C and doesn't have a great reputation for security.
But PDF is a subset of Postscript, so the roundtrip seems to be the identity transformation ….
Seems like 3.04 & 4.03 (latest) as for now has no CVEs.[0,1]
> I see a recent release but couldn't find a change log.
Just grab a latest source release tarball[1], extract files & read `CHANGES` (changelog text file).
[0] https://repology.org/project/xpdf/versions
[1] https://repology.org/project/xpdf/cves
[2] https://dl.xpdfreader.com/xpdf-latest.tar.gz
That said, yes, it's quite handy.
I have a lot of nostalgia for Xpdf, but I guess these days it's been successfully replaced by Zathura.
You might as well say Notepad or VI "just work" as HTML viewers.
Does that happen on all operating systems? With all printer drivers?
They were working on an SVG renderer to support proper vector printing still don’t think its done. They should have used SVG to begin with.
I actually like the idea of pdf.js, having a pure browser based pdf viewer is a good thing, really needs good vector print support though to be serious.
It's up to the browser to render the page to the printer, if it contains canvases they are sent as bitmaps, since thats what they are.
HTML elements and SVG are generally rendered as vector commands to the printer which might end up being postscript or pdf. So svg's are much lighter going to printer then high dpi canvases. They also looks much better too since the printer renders them to the final raster at native res say 600 dpi.
Other browsers use a native PDF renders that can do whatever it wants, not sure what PDFium does in Chrome/Edge maybe it just sends the PDF if it can determine the printer supports it, otherwise it does native print commands for sure, it does not send bitmaps.
The nice thing about pdf.js is it runs on platforms that have no pdf viewer built in but have a web browser or maybe a buggy built in one. You can also style and control it yourself and add features to it for your app making for tighter embedding. Also it can be updated independently of browser.
Seems to be derived from Foxit.
Xpdf tools have been a lifesaver for ages. Thank you Derek et all!
Here's a very long, and entertaining thread about it on the OpenBSD mailing lists from 2008.
https://marc.info/?t=120906296700004&r=2&w=2
No longer on their website, but original author considered this to be "cracking".
https://web.archive.org/web/20161129092715/http://www.foolab...
Even if there existed a highly questionable moral duty not to say copy and paste a quote from a document its hard to understand ethically why he imagines that he owes the author the duty to enforce this personally convincing others not to patch such a "feature" out.
He sounds like a highly detestable human being.
That is over-the-top harsh.
I disagree with the choices the author of XPDF made. I would have made different ones.
Neither of us fully understands his mental state, or why he made those choices. So let's focus our criticism on the choices themselves, rather than outright dehumanizing another person for making a technical decision.
(which is another way to describe the flags)
Edit: as far as I can tell the groupthink has gone beyond “everyone should use a free license for everything” to “I have a free license to everything damn the actual license”.
Yes
> Have you considered that maybe that's disempowering other people using the same tool?
I can't see why given xpdf with DRM and xpdf without DRM anyone would select the first.
I think it's disingenuous to frame it as a "bypass". The publisher is setting out a terms of use, and I think it's bad that the software try to force that I abide by such terms, because:
• the software will be too conservative: there are many situations where it is legal (and even ethical) to ignore such terms, but the software will not recognize them.
• there will be alternative software which does not enforce such terms, making it worthless as an actual protection measure.
• like I said, I think my machine and the software runs on it ought to represent me and my interests. I would certainly hesitate before installing software that put others' interests above my own, no matter how well-intentioned.
> Have you considered that maybe that's disempowering other people using the same tool?
No, but I'd be more open to the thought if you'd provide a compelling example.
> I think it's disingenuous to frame it as a "bypass". The publisher is setting out a terms of use, and I think it's bad that the software try to force that I abide by such terms
You coulda just said “yeah”.
Edit:
> No, but I'd be more open to the thought if you'd provide a compelling example.
I did but I’ll make it more clear: I licensed my content to you, with the expectation you would honor my license. If you use the technology I distribute my licensed content to you to violate that license you’re undermining my ability to determine the terms under which I distribute my content.
But then I'd be tacitly agreeing that it's a "bypass", when there's nothing to "bypass" in the first place.
> you’re undermining my ability to determine the terms under which I distribute my content.
Isn't this exactly what IP law is for? Why do you need PDF readers of all things to also enforce your terms?
It's like locks on doors. Yea, B&E is illegal and the lock helps as a forcing function/indicator. Easier to lock a door than chase 100s of thieves.
DRM is like that for a publisher, and digital theft is loads easier than physical theft, otherwise publishers are really set back for getting compensated for their works (see author above).
I get you don't like DRM but should software be a tool for stealing others works?
Note: I loathe DRM but when I pay for content/books, I respect the game.
If the terms of the distributed content are “I don’t want you to copy this” and the technology has the ability to disable copying it (however flawed or limited), and your expectation is that the software disregard that express wish for distribution... you are asking the software to facilitate you in disregarding the express wish of the creator. How is that long winded way of saying it not “bypass”?
Yeah IP law is for enforcing IP in court. But your position is you should be entitled to use any content and software in any way you want without any mechanisms attempting to reinforce the contract outside of a court. Essentially you’re saying “if an author explicitly says I’m allowed to use their content but not this way, anyone but the law trying to ensure I comply with the contract I agreed to is wrong”.
If I made some work that said you were free to do anything with it other than defecate on it, and you agree to it, there’s nothing inherently wrong with me trying to take measures besides a lawsuit to try to prevent you from that.
Your licenses have legal limits, including fair use.
Too many authors seem to believe that once they have created something, they should have total control over all copies of it made in perpetuity. That's not how it works even today (and today is closer to that "ideal" than just about any other point in history).
If I buy a physical book there are all sorts of things I can do with it. I can cut out the pages and use it in an arts-and-crafts project. I can even burn it should I wish. Many authors are horrified at some of the ways their books can and have been used, but they cannot legally limit these things.
PDFs are not physical books, and any analogy between the two will eventually break down, but I do not consider printing or copy-pasting from a document to be "bypassing the terms under which the content [I'm] accessing were shared" when many possible uses of these are 100% legal, just like photocopying a few pages from a book at the library for a school research project is 100% legal.
Yes, obviously.
Edit:
So did Okular (the KDE reader) it seems https://tsdgeos.blogspot.com/2009/06/okular-pdf-and-drm.html
Evince too https://superuser.com/questions/767617/disable-drm-in-evince but it is disabled by default now.
2) preventing copy pasting text, especially if book has eg: code samples, is silly.
With the mupdf backend it also supports epub save for an bug in how it treats the table of contents which presently afflicts 0.4.7 which has already been fixed which will presumably be fixed in 0.4.8.
Come on guys cut another release!
Another reason to use it is seccomp mode. Zathura puts itself in a seccomp jail before reading the input document. Inside the jail all it can do is read from the input file and read/write to the display (in my case, Wayland socket -- on X11 this isn't quite as effective).
Just wish it had nonrectangular (i.e. paragraph-flow) select-and-copy, but I know PDF makes that as difficult as possible. Works great on touchscreens except that the pinch gesture is misinterpreted as select instead of zoom.
Tip: press tab while viewing a document to see the outline (which you can navigate with vi keystrokes!). Took me a while to discover that.