LibTiff Mailing List
TIFF and LibTiff Mailing List Archive
August 2008
Previous Thread
Next Thread
Previous by Thread
Next by Thread
Previous by Date
Next by Date
Contact
The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems
Thread
2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam
Lee Howard wrote: > Frank Warmerdam wrote: >> Would you like to review and apply the CVE-2008-2327 patches in 3.9 >> branch and cvs head (aka 4.0.0) as a first task? > > It looks like Andrey has beat me to this, which is good, I wasn't going > to be able to get to it until this weekend. > > Now that those are applied I would like to call for a 3.9 release. If > you insist on going the long route through beta-->release > candidate-->release then this is fine, but I would be more happy to skip > the "beta" phase at this point as many of us have been happily running > 3.9beta for a long time (on production servers). > > (And if we could keep the release candidate phase limited to a month > unless a problem crops up, that would be nice, too.) Lee, I'd be fine with producing a 3.9.0 release candidate now, and turning it official in a week if no noteworthy problems are encountered. >> I'm not convinced this has been filed in Bugzilla yet, so you may have >> to do that yourself. > > I'm happy to put things into Bugzilla that warrant discussion prior to > committal or that will serve as a nice reference in the future to those > who need to examine the details of the changes in such a manner. > However, please understand that's a lot of work, and it's work that for > the most part will go unused and is thus wasted. Once a bug is closed > it is very rarely revisited. (However, open bugs are quite valuable.) > In these security-fix cases I don't think that there's significant merit > to that effort (the security announcements are documented elsewhere by > others) other than reiteration of the security announcements. You'll > notice that Andrey didn't file Bugzilla tickets before committal, and I > would argue that it was appropriate. > > Do you feel differently? Where to draw the line isn't entirely clear, but in other projects it has been my practice to file tickets for any actual code change in a stable branch. I have found it a good practice to provide more detailed documentation and a place to reference from ChangeLog and NEWS files. But, I'm not going to get all uptight about it either. Best regards, -- ---------------------------------------+-------------------------------------- I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com light and sound - activate the windows | http://pobox.com/~warmerdam and watch the world go round - Rush | Geospatial Programmer for Rent