qpdf VS git-bug

QPDF is a CLI tool that performs content-preserving transformations on PDF files. We have another tool for managing files!

Given how well Preview.app and Safari work for viewing >99% of PDFs I actually encounter in the wild, this article makes Apple's engineering decisions look good.

It also confirms many suspicions I've had over the years that have led me to, e.g., running all PDFs from questionable sources through VirusTotal before viewing on platforms where I wouldn't normally run antivirus software.

The original article also confirms my suspicions that this step is inadequate:

Because the Launch action can be considered as a danger- ous feature, we conducted a large-scale evaluation of 294,586 PDF documents downloaded from the Internet, in order to research if there are any legitimate use cases at all. Of those documents, only 532 files (0.18%) contained a Launch action. While none of the files was classified as malicious according to the VirusTotal database, we conclude that the Launch action is rarely used in the wild and its support should be removed by PDF implementations as well as the standard.

Incidentally, the Launch action is still present in the most recent version of the PDF standard[1], with only OS-specific launch parameters deprecated (which include passing arguments to the launched executable, so eliminating the deprecated feature is still a significant security gain).

Finally, I'm both personally and professionally curious about how the non-DoS examples in this articles may apply to non-viewer PDF tools and libraries like qpdf[2] and Ghostscript's original and recently reimplemented PDF interpreters[3].

[1] https://pdfa.org/resource/iso-32000-pdf/

(registration required, but at least the base standard is available at no cost; sadly, important incorporated standards like ISO 21757-1:2020 [ECMAScript for PDF] are not)

[2] https://qpdf.sourceforge.io

[3] https://ghostscript.com/blog/pdfi.html

I know you're talking about GUI editing, but I've found libqpdf[1] incredibly useful for making programmatic PDF edits with minimal (typically no) structural disturbance.

[1] https://qpdf.sourceforge.io

Solved this. So the string which we were concerned about depends on the time, which is why it changes everytime a new document is generated with the same source PDF. it is a meaningless string really. from the documentation, it gives this explanatin. To be sure, i raised an issue with the guys at QPDF and they were quick to answer the question too. The explanation theyve given is even more clearer.

Hi, this is my first Emacs package! It provides a transient wrapper for the qpdf command-line tool aimed especially at users of pdf-tools or at least DocView. With it one can, for example, remove/reorder/split/rotate pages of a pdf file, merge pdf files, remove annotations, and apply a range of transformations to a pdf file. See the qpdf documentation.

There are some here, as test files in the qpdf library: https://github.com/qpdf/qpdf/tree/main/qpdf/qtest/qpdf

(I wrote a low-level PDF parser and ran it over the PDF files that happened to be present on my laptop—just regular ones—and ran into some files that (some) PDF viewers open but even qpdf doesn't. I say "even" because qpdf is really good IMO.)

If you're comfortable handling the (typo)graphical aspects of the PDF yourself and have the ability to consume a C++ library, I've had good experiences using the Apache-licensed qpdf[1] library to handle the low-level structural aspects of the PDF standard. It's particularly convenient when your application requires structure-preserving integration of existing PDF content.

Simple example applications, each completed in 2–3 days, both in C#, using C++/CLI to integrate libqpdf:

1. Overlaying fixed-format text on pre-existing blank PDF form pages, ensuring the content of each distinct form page is embedded exactly once, and that all necessary assets (fonts, images, etc.) from the blank form PDF pages are included in the output PDF.

2. Losslessly combining a sequence of PDF, TIFF, and JPEG images into a single PDF with bookmarks pointing to the first page of each source file and existing image compression maintained where possible. In this application, only the source TIFFs were anything other than arbitrary (i.e., the TIFFs were more-or-less baseline images coming from a small number of scanning systems, but the JPEGs and PDFs came from all sorts of different applications).

[1] https://github.com/qpdf/qpdf

Use qpdf https://github.com/qpdf/qpdf

I was looking for a way on macOS to batch remove the user password from a bunch of PDF files that had the same password. I found the easiest way was to use qpdf with the following command:

Unfortunately github appears to be actively breaking the ability to use git-bug on large repositories (like nixpkgs):

https://github.com/MichaelMure/git-bug/issues/749#issuecomme...

True but getting less true by the day:

https://github.com/MichaelMure/git-bug

https://www.fossil-scm.org/home/doc/trunk/www/index.wiki

Only not having access to https://todo.sr.ht made me to recognize fully, that I don’t have any access to it. https://github.com/MichaelMure/git-bug suddenly looks much more interesting.

Neither do the issues support. But there is git-bug [0].

[0]: https://github.com/MichaelMure/git-bug

As a sort of spiritual successor to git-appraise, I've been working on git-bug[1] which support issues and will at some point support kanban and code review. There is a few notables improvements:

- CRDT-like reusable data structure [2][3] for true p2p workflow and easily create new entities (code review ...)

- bidirectional bridges to github, gitlab ... to ease the transition or just use git-bug as a complement of those platform

- CLI, terminal UI and web UI, for different taste and integrate into your tooling/workflow

[1]: https://github.com/MichaelMure/git-bug

[2]: https://github.com/MichaelMure/git-bug/blob/master/doc/model...

[3]: https://github.com/MichaelMure/git-bug/blob/master/entity/da...

> but that is for the development of the platform and network of Gitopia. For the end user the workflows remain almost the same for collaboration.

I have to disagree here. Accidental complexity in a system can have severe downstream impacts on end users, whether that be in the form of poor performance, unreliability, or just slow update cycles. It's not something you can paper over and completely hide from the user.

> Along with this the blockchain layer layer offers immutable, transparent and tamper proof versioning of code

Tamper-proof can be accomplished natively by signing [0]. receive.denyNonFastForwards and receive.denyDeletes[1] can be used to make a git repository immutable. Git commits are also already content-addressable. And transparency is achieved by just having the repo available for people to clone.

> along with the collaboration meta and augments the current collaboration flow

Could this augmentation not be accomplished by storing the collaboration information in the repo under a set of special-purpose branches? Like git-bug[2] or git-issue[3]? Coupled with GPG signatures and you've got your immutability, too!

> Along with this it enables us to provide a novel means to incentivize open-source contributions along with fostering a more decentralized approach for governance (even for projects), every token holder could have a say in the decision making, reducing the risk of undue influence by a single party, hence eliminating centralized control.

This one I'll grant you, but it's by far the least compelling aspect of the project to me. I don't think we're going to solve the centralization of GitHub by centralizing on a new plutocracy, I'd much rather see efforts towards full decentralization. There's nothing inherent to Git that requires that we all use the same set of servers.

[0] https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

[1] https://git-scm.com/book/en/v2/Customizing-Git-Git-Configura...

[2] https://github.com/MichaelMure/git-bug

[3] https://github.com/dspinellis/git-issue

Regarding the issues, there are some projects like git-bug https://github.com/MichaelMure/git-bug trying to embed these sorts of meta-work into git.

Probably git-bug is closer to what Fossil does: It uses Git as a storage engine, and can coexist with your code in the same physical repository, but the issues don't actually show up as source files. Instead, each issue is a special branch (buried in refs so it won't clutter up git branch) that has zero common ancestry with anything else. So in theory you can poke at it with Git, but really, the Git under the hood is mostly an implementation detail, and as long as you interact with those files through the tool, it guarantees you won't have merge conflicts.

You might be interested by git-bug and https://github.com/MichaelMure/git-bug/blob/master/doc/model..., which seems to be exactly what you describe. (Disclaimer: author).