2024.04.19 08:34 "[Tiff] Call for discussion: RFC 2: Restoring needed libtiff tools", by Sulau

2024.04.19 14:50 "Re: [Tiff] Call for discussion: RFC 2: Restoring needed libtiff tools", by Lee Howard

The very old and unmaintained tools in libtiff caused many vulnerabilities and CVEs that were attributed to the libtiff library itself.

I don't believe that software being old causes vulnerabilities and CVEs. Furthermore, whether something is "old" or not is really just a matter of perspective, anyway. The tools aren't older than libtiff, are they?

As for calling the tools "unmaintained", I think that is simply unfair. There were always those of us that were willing to maintain them. The libtiff package was not ever without one or more maintainers. One could, therefore, reasonably conclude that the tools *were* technically maintained up until 4.5.1 release and only became unmaintained somewhere around the 4.5.1 release release when the maintainer(s) first made public statements that they would not be maintaining the tools.

As for the critical bugs not getting fixed in a timely manner... well, from the perspective that the libtiff package was not without a maintainer the bugs not getting fixed in a timely manner is due to the maintainer(s) not seeing them fixed in a timely manner - whether by doing it themselves or finding others who would. And as is clear, there are those of us who would have. In fact, there already were patches being circulated for tools issues before the 4.6.0 release. The maintainer(s) declined to merge them because they had already decided to remove the tools.

[Prior to the 4.6.0 release I was never contacted by the maintainer(s) about retiring the tools. Take a moment and grep through the package files for my name. I shouldn't have been difficult to identify or contact. I was not unknown to the maintainer(s). I had been subscribed to the mailing list but apparently had become automatically unsubscribed at some point and didn't notice because the traffic on this list is very low and because looking at the archives does not show one if they are missing recent mails because the archives are not updated immediately.]

This whole episode has made it clear that the libtiff package maintainer(s) are not interested in maintaining the tools, themselves. Fine. But the narrative that nobody cared about the tools enough to maintain them is incorrect.

Trying to fix the security holes in the tools turned out to be a Sisyphean task (can never be done).

This is simply untrue. If there are security problems that remain in 4.6.0t then point them out, and I will see to it that they are fixed.

How on earth can you reasonably expect to know through a poll on the mailing list or on Gitlab which tools are "required"?

All of the tools that you propose to not restore are useful. Why sideline them when you now see that they are not unmaintained and do not have any outstanding security issues?

Thanks,

Lee.