[Development] Retiring libtiff too
thiago.macieira at intel.com
Mon May 2 20:20:31 CEST 2016
On segunda-feira, 2 de maio de 2016 18:07:29 PDT Lars Knoll wrote:
> >> So while I don't like us having copies of these libraries in our
> >> repositories, not shipping any support for these image formats in our
> >> packages is not a good option neither.
> >I kinda disagree. I would prefer an opt-in for those poeple.
> That's of course an option, but if the opt-in means 'download libtiff
> yourself, figure out how to compile it, then recompile qtimageformats', we
> have a very user-unfriendly way of solving the problem.
> >Aside from not including it. How are the qtimageformats packaged in our
> >binaries? Are they installed automatically?
> Currently they are automatically installed.
At the very least we should not automatically install it. We can provide the
binaries for opt-in installation for those who want/need it, with the
appropriate warning that they need to follow the security bulletins.
In fact, we should have an installer page showing all the bundled third-party
libraries and let people know that they're there for convenience only and it's
their responsibility to follow security bulletins for those pieces of
software. We will upgrade only on our own releases and we will not provide
security updates in-between.
But we should provide security updates on EVERY release. That means we need to
follow the CVEs for every piece of bundled third-party software, be it source
or binary form, and apply patches that may be necessary.
In time, the following CVEs are outstanding for libtiff as of version 4.0.6.
CVE-2014-9655 CVE-2015-1547 CVE-2015-8665 CVE-2015-8683
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Development