[Development] Retiring libtiff too

Thiago Macieira thiago.macieira at intel.com
Mon May 2 20:20:31 CEST 2016


On segunda-feira, 2 de maio de 2016 18:07:29 PDT Lars Knoll wrote:
> >> So while I don't like us having copies of these libraries in our
> >> repositories, not shipping any support for these image formats in our
> >> packages is not a good option neither.
> >
> >I kinda disagree. I would prefer an opt-in for those poeple.
> 
> That's of course an option, but if the opt-in means 'download libtiff
> yourself, figure out how to compile it, then recompile qtimageformats', we
> have a very user-unfriendly way of solving the problem.

> >Aside from not including it. How are the qtimageformats packaged in our
> >binaries? Are they installed automatically?
> 
> Currently they are automatically installed.

At the very least we should not automatically install it. We can provide the 
binaries for opt-in installation for those who want/need it, with the 
appropriate warning that they need to follow the security bulletins.

In fact, we should have an installer page showing all the bundled third-party 
libraries and let people know that they're there for convenience only and it's 
their responsibility to follow security bulletins for those pieces of 
software. We will upgrade only on our own releases and we will not provide 
security updates in-between.

But we should provide security updates on EVERY release. That means we need to 
follow the CVEs for every piece of bundled third-party software, be it source 
or binary form, and apply patches that may be necessary.

In time, the following CVEs are outstanding for libtiff as of version 4.0.6.

CVE-2014-9655 CVE-2015-1547 CVE-2015-8665 CVE-2015-8683
CVE-2015-7554 CVE-2015-8668

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center




More information about the Development mailing list