Comment by kevindamm
Is it ironic that they publish it as a PDF? I get that it's the easiest way to control the print layout and also nicely self-contained... but how many of us are opening it in a sandbox as we should?
Is it ironic that they publish it as a PDF? I get that it's the easiest way to control the print layout and also nicely self-contained... but how many of us are opening it in a sandbox as we should?
Never heard of needing to open a PDF in sandbox mode, but it makes sense cause of potential malicious content so I looked up if Chrome does it by default with it's viewer. It does, as does Firefox and Safari so that covers most browsers.
PDF in the spec contains an insane amount of stuff which could be exploited. But every reader other than the Adobe one leaves out most of the spec.
So I wouldn't be that worried about opening a random PDF in a browser. But I would be maybe worried about opening one in a desktop app written in an unsafe language.
Hi, project lead here :)
Hah, that's a good point! I realize of course issues with PDFs (I have a dozen or so CVEs in PDF readers like Adobe Reader, Chrome, etc). This said, at the end of the day, there isn't much of a choice to be honest.
Admittedly this is because of where I wanted to go with this zine - i.e. make it printable, give authors the freedom to do whatever on the page (and not have to deal with manual DTP), and make it in a format that is widely supported and not limiting (and both PDF readers and writers are abundant).
Realistically if we wanted to go with a format that has 0 attack surface, it would have to be a headerless RGB pixel stream - but that's hardly usable. INB4: txt files have a greater attack surface than headerless RGB pixel streams, even if not by much (see various ANSI escape code problems over the last 4 decades).
P.S. Oh, and let's remember that demoscene/etc zines back in the days were EXEs ;)