|AWARE [SYSTEMS]||Imaging expertise for the Delphi developer|
|TIFF and LibTiff Mailing List Archive|
LibTiff Mailing List
2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard
Frank Warmerdam wrote: > Lee Howard wrote: >> While the above statements are undoubtedly accurate, the sentiments >> that they express are unhealthy for the large community that uses >> libtiff. So, while the statements may be true, they really should >> not so be. >> >> Maintainers and developers of any software should be committed to the >> software development and to the health of the community that uses >> that software. Some degree of responsibility is expected. When >> flaws in the software are discovered, be they rather benign or >> security-related, the community looks to developers and maintainers >> to take action. Failure to take action leads the community into an >> atmosphere of uncertainty and mistrust... all of which further >> inhibits the software development cycle. >> >> Understand that while the software development process may be slow, >> stagnant, or distracted, distribution maintainers and application >> maintainers are under pressure from their own customers to be >> responsive and to indemnify any inaction by the upstream. Thus you >> will find RedHat, Fedora, SuSE, Debian, Gentoo, etc. maintainers who >> will have to patch and patch and continue to patch to satisfy those >> expectations. >> >> It seems to me that the least that could be done in such situations >> would be to accept the patches developed downstream and to >> acknowledge and be at least verbally responsive to credible reports >> of such issues. > > Lee, > > It would be helpful to have additional libtiff maintainers interested in > taking on such problems. I will say that I expect to apply the provided > patch, though it would be better if this could be handled without > depending on me. I am willing to volunteer to: * Commit applicable downstream patches (i.e. security patches in RedHat's build). * Commit applicable patches that appear on this mailing list, on bugzilla, or come to me in a more private manner. * Monitor bug reports (esp. bugzilla) in an effort to encourage the reporter to provide enough information such that the problematic code can be pinpointed or such that a patch is provided. * Perform test builds and run the test suite (I assume that libtiff has one now?) after every commit to make sure that the commit did not break anything - and if it did then to either fix the problem myself, return to the patch developer for a fix, or to back out the patch. What I cannot do is: * Maintain same-day responsiveness all of the time. * Perform a security audit. * Spend vast amounts of time developing features, redesigning code, or fixing bugs that would either require too much time to fix or that are beyond my ability to fix. What I would require in return is: * Regular and frequent releases. (And what I mean by that is approximately once per month whenever there has been any non-trivial amount of code changes committed.) If this cannot be done due to other maintainer time constraints, then I am willing to assist in the releases to whatever degree is necessary. Thanks, Lee.