2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn

Now that those are applied I would like to call for a 3.9 release. If you insist on going the long route through beta-->release candidate-->release then this is fine, but I would be more happy to skip the "beta" phase at this point as many of us have been happily running 3.9beta for a long time (on production servers).

We should make sure that 3.9 is ABI/link compatible with previous releases if possible. Otherwise Debian and other distributions will refuse to distribute it as updates to their stable releases.

(However, open bugs are quite valuable.) In these security-fix cases I don't think that there's significant merit to that effort (the security announcements are documented elsewhere by others) other than reiteration of the security announcements. You'll notice that Andrey didn't file Bugzilla tickets before committal, and I would argue that it was appropriate.

More often than not, formal security announcements are quite vague and there is no patch or useful issue description to be found. For the software I maintain, I seem to usually be the last to hear about such security announcements. Only one of the security outfits thinks to communicate with me.

Bugzilla is primarily a means for users to communicate issues to libtiff maintainers, or for the libtiff maintainers to remember issues which remain to be addressed when there is time. Otherwise CVS is the record of the changes which occured.

Bob
======================================
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/