[Development] Retiring libtiff too

Lars Knoll Lars.Knoll at qt.io
Mon May 2 20:07:29 CEST 2016


On 02/05/16 17:52, "Development on behalf of Thiago Macieira" <development-bounces+lars.knoll=qt.io at qt-project.org on behalf of thiago.macieira at intel.com> wrote:



>On segunda-feira, 2 de maio de 2016 10:46:53 PDT Lars Knoll wrote:
>> Well, on Linux these libraries are nicely available on the system. But it
>> does not help us on Windows, where we do have to ship these libraries if we
>> want to provide something that's easy to use for our users/customers.
>
>Let me question that: do we want to provide something easy which is a 
>potential security hole? Even if we upgrade libtiff to the latest that fixes 
>all issues, there will be more. How are we dealing with CVEs from our bundled 
>third party, especially those that end up in our binaries? How are our users 
>and your customers?

I agree that we need to figure out how to handle this. I'm just pointing out that simply removing lots of functionality might not the right answer neither.

> 
>> So while I don't like us having copies of these libraries in our
>> repositories, not shipping any support for these image formats in our
>> packages is not a good option neither.
> 
>I kinda disagree. I would prefer an opt-in for those poeple.

That's of course an option, but if the opt-in means 'download libtiff yourself, figure out how to compile it, then recompile qtimageformats', we have a very user-unfriendly way of solving the problem.
>
>> No, there's currently no option to limit the image formats that are being
>> loaded apart from not shipping the plugin.
>
>Aside from not including it. How are the qtimageformats packaged in our 
>binaries? Are they installed automatically?

Currently they are automatically installed.

Cheers,
Lars



More information about the Development mailing list