- 2018.04.09 08:05 "Re: [Tiff] fuzzing libtiff with google's oss-fuzz", by Nicolas RUFF
- 2018.04.09 11:57 "Re: [Tiff] fuzzing libtiff with google's oss-fuzz", by Even Rouault
- 2018.04.15 14:34 "Re: [Tiff] fuzzing libtiff with google's oss-fuzz", by Even Rouault
2018.04.09 19:27 "Re: [Tiff] fuzzing libtiff with google's oss-fuzz", by Roger Leigh
On 09/04/2018 14:09, Even Rouault wrote:
On lundi 9 avril 2018 08:44:02 CEST Bob Friesenhahn wrote:
If sufficient libtiff maintainer time/energy is not immediately available then enrolling in oss-fuzz will result in a great many issues being reported in libtiff and exposed to public view (along with files to cause the problem) which are not yet fixed. This would be harmful to users. There has to be enough volunteer maintainer time/energy to get issues resolved and into a libtiff release in 90 days time. Actually, after a problem is fixed in the Git repository, the issue is made public in just 30 days so there needs to be many releases in order to ensure that there is a release before the issues are made public.
Bob,
I somehow understand your position on it, but you are probably assigning you more responsability than you should. On our volunteer time, we have no moral or whatsoever obligations regarding anyone to fix any issues. For that reason, I'm less and less willing to treat with privately reported issues.
I can certainly review and test some of them, though obviously there are limits to the amount of time I have to spend on it per week.
Regards,
Roger