2023.04.03 20:50 "[Tiff] Remove TIFFCROP from LibTiff", by Sulau

2023.04.07 13:28 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Bob Friesenhahn

The source code will remain, but you'll have to build it by yourself. Yes, that's undoubtedly inconvenient, but having unmaintained utilities that bring a endless flock of vulnerabilities that are often misinterpreted as vulnerabilities of the library isn't better for the project. If someone is serious about those utilities, they have to step up and fix them.

Most people are not going to have the knowledge or capability to compile these programs outside of libtiff since building them still depends on libtiff build (e.g. Autoconf/Cmake + porting + common-security code) internals.

Much more work would need to be done by someone to build the abandoned utilities using an already installed libtiff. This is why a spin-off project makes sense (e.g. staffed by new volunteers). The new project should be prepared to handle the flood of continuing security complaints.


Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt