[Sugar-devel] Deployment feedback braindump

Lucian Branescu lucian.branescu at gmail.com
Wed Aug 12 10:16:19 EDT 2009


2009/8/12 Bernie Innocenti <bernie at codewiz.org>:
> El Wed, 12-08-2009 a las 13:28 +0100, Lucian Branescu escribió:
>> Adobe apparently loves vectors.
>
> And monopolies.

That too :) But really, they're obsessed with vectors.

>
>> JavaScript-in-PDF is mostly a joke and a big security risk. It's not
>> something to be relied upon.
>
> It might be useless, but I don't see why it should be more risky than
> Javascript in web browsers, which everybody happily accepted without
> much thought.  Is JS in PDF even allowed to make HTTP connections?
>

JavaScript in PDF is more risky because the sandboxing isn't as mature
as the one in web browsers. It should theoretically be at least as
safe, but in practice it isn't. This is mostly a problem with adobe's
implementation, which is an absolute train-wreck, but other
implementers without browser sandboxing experience might repeat some
mistakes.

>
>> Forms are about as much interaction as PDF get without becoming
>> dangerous or moot.
>
> How do you dubmit the form?  By HTTP?  Does the PDF reader tell the user
> when it's going to make this connection?

You would submit the form by sending back the completed PDF file. It's
a bit awkward, but it works.

Ideally, people should be using HTML forms, those are made to be
easily and seamlessly submitted.

>
> Knowing how proprietary software companies think, I wouldn't ever dare
> using Adobe Acrobat Reader.  But I blindly trust Evince, Okular and all
> free PDF readers to do whatever it takes to protect my security and
> privacy regardless of what the document or the PDF standard tells them
> to do.
>

In any case, PDF is a good presentation format. Why make it
significantly more complex for small-to-none improvements to its main
purpose?

> --
>   // Bernie Innocenti - http://codewiz.org/
>  \X/  Sugar Labs       - http://sugarlabs.org/
>
>
>


More information about the Sugar-devel mailing list