2011.12.12 20:22 "[Tiff] considering packaging 4.0 beta in debian "unstable"", by Jay Berkenbilt

2011.12.12 20:22 "[Tiff] considering packaging 4.0 beta in debian "unstable"", by Jay Berkenbilt

I have become aware of the fact that some GIS applications are dependent on the bigtiff features in libtiff 4, and so some debian packages are actually including their own copies of libtiff 4.0.0 beta in with their source packages since the debian version of the tiff library is still the latest 3.9.x release. I have had 4.0.0 beta in debian's "experimental" release for ages. Now I'm considering packaging it in debian's unstable release as well. It would not be the default libtiff; that would still be 3.9.x. People would have to explicitly depend on it to get 4.0, but it would make it available, and it would also mean that it will eventually propagate to a stable debian release and also to Ubuntu where it will potentially have a wider audience. Basically I would do this because the 4.0.0 beta releases seem stable enough for other open source authors to include them in their packages, and from a security perspective, it's much better to actually release a package a beta version in unstable where it will get security fixes than it is to have rogue copies of the source floating around invisibly inside other packages. Put differently, although there has not been an official 4.0.0 release, some people in the community have already decided that they're going to start using it.

Before I took this action, I wanted to run it by the maintainers of the tiff library. I do release, of course, that there is very limited time and resources on the tiff library right now, so this should definitely not be construed as a complaint. It's just a recognition of the reality that tiff 4.0.0 is being "allowed to escape" even if it hasn't been "released", and this is my attempt at decreasing the degree to which this might pose a problem. The good news is that I have extremely limited time as well, so it may take me a while to actually package 4.0.0 beta 7 for debian! But it's realistic that I could find the time in the next couple of months.

Another option to packaging 4.0.0 beta 7 is to roll an informal release out of the current CVS. As security fixes have been announced on the 3.9.x branch, I have continued to locate them in CVS and to backport them into 4.0.0 beta 7, so as far as I know, debian's 4.0.0 beta 7 contains all previously publicized security fixes. I can't absolutely guarantee that, but it has been my intention for that to be true.

Thoughts? I do wish to consider the views of the tiff maintainers before doing anything that will cause a big problem.

Jay Berkenbilt <ejb@ql.org>