2021.11.04 22:57 "Re: [Tiff] About issues filed by Varangian bot", by Bob Friesenhahn
I'm not sure if we want to welcoime other batches of such reports (since apparently they plan to submit others), as our funded or volunteer time is limited.
We were given fair warning that the fire-hose was going to be turned on but said nothing. Luckily it was just for a short burst of sample issues.
Since static analysis (e.g. Coverity) and fuzz testing became effective and free, a very large portion of my "free" time not spent working on an unrelated paying day job has been spent fixing issues identified by others. In fact, even when valgrind was introduced many years ago, that resulted in quite a lot of unpaid "free" time being spent fixing the many issues found. It is a "thankless" task since users of free software can not fathom the work which is being performed for them.
Libtiff is small, but it is complex. The software has a very long history so it was not developed in conjunction with automated testing and analysis tools.
The analysis and fixes are quite valuable but it is too much to ask for volunteers (or somewhat paid developers) to dedicated every waking hour to a project in order to fix (possible) bugs found by automated anaysis.
What is needed is a "closed loop" system where the producers of defect information also submit the recommended solutions. If a "closed loop" is not possible, then we need another well-funded organization to take up the task of checking that issues are real, and coming up with solutions.
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt