[Development] Retiring libtiff too

Lars Knoll Lars.Knoll at qt.io
Tue May 3 08:39:42 CEST 2016 

On 02/05/16 20:20, "Development on behalf of Thiago Macieira" <development-bounces+lars.knoll=qt.io at qt-project.org on behalf of thiago.macieira at intel.com> wrote:

>On segunda-feira, 2 de maio de 2016 18:07:29 PDT Lars Knoll wrote:
>> >> So while I don't like us having copies of these libraries in our
>> >> repositories, not shipping any support for these image formats in our
>> >> packages is not a good option neither.
>> >
>> >I kinda disagree. I would prefer an opt-in for those poeple.
>> 
>> That's of course an option, but if the opt-in means 'download libtiff
>> yourself, figure out how to compile it, then recompile qtimageformats', we
>> have a very user-unfriendly way of solving the problem.
>
>> >Aside from not including it. How are the qtimageformats packaged in our
>> >binaries? Are they installed automatically?
>> 
>> Currently they are automatically installed.
>
>At the very least we should not automatically install it. We can provide the 
>binaries for opt-in installation for those who want/need it, with the 
>appropriate warning that they need to follow the security bulletins.
>
>In fact, we should have an installer page showing all the bundled third-party 
>libraries and let people know that they're there for convenience only and it's 
>their responsibility to follow security bulletins for those pieces of 
>software. We will upgrade only on our own releases and we will not provide 
>security updates in-between.
>
>But we should provide security updates on EVERY release. That means we need to 
>follow the CVEs for every piece of bundled third-party software, be it source 
>or binary form, and apply patches that may be necessary.

Agree with this.

Ideally, I would like to get rid of these libraries in src/3rdparty. Instead, we should build up to date versions of these libs in Coin, and simply ship those together with our Qt libraries. With the online installers it should in the longer term even be possible to ship updates for these libraries independent of a new Qt release.

Cheers,
Lars

>
>In time, the following CVEs are outstanding for libtiff as of version 4.0.6.
>
>CVE-2014-9655 CVE-2015-1547 CVE-2015-8665 CVE-2015-8683
>CVE-2015-7554 CVE-2015-8668
>
>-- 
>Thiago Macieira - thiago.macieira (AT) intel.com
>  Software Architect - Intel Open Source Technology Center
>
>_______________________________________________
>Development mailing list
>Development at qt-project.org
>http://lists.qt-project.org/mailman/listinfo/development

More information about the Development mailing list