2017.03.04 10:59 "[Tiff] started seeing breakage with libtiff", by John

2017.03.06 16:26 "Re: [Tiff] started seeing breakage with libtiff", by Lee Howard

On 03/06/2017 07:59 AM, Toby Thain wrote:

On 2017-03-06 10:46 AM, Bob Friesenhahn wrote:

On 03/04/2017 10:51 AM, jcupitt@gmail.com wrote:

For reference, the problem is in tiff_4.0.6-2ubuntu0.1, the version currently being used in 16.10. Plain 4.0.6 seems to work, but one of the (very many) patches Ubuntu is applying has broken stuff.

I wish package maintainers at the various distros wouldn't glamorize patches as they seem to do. They should be involved in the upstream project development and seek to integrate as many patches as possible so that the only patches they apply are truly distribution-specific. Most customization patches can still be upstreamed and enabled with build-time flags.

Distributions like Debian (and thus Ubuntu) seem to tie their hands behind their back due to an apparent rule that it is forbidden to solve security problems by updating to the current release known to solve those problems. Instead everything is handled via patches.

That sounds like the same ultra-conservative policy that systems like Solaris had to adopt - the goal being to have updates cause as little customer breakage as possible?

I can sort of see points on both sides of this... The two modes are not easy to reconcile?

This is why the package maintainers need to be involved in the upstream project development. There they can argue for an upstream patch-level release outside of a feature release. It keeps them out of the patching mess that the OP ran into, and it also satisfies the packaging guideline policies that prohibit anything other than security fixes.

Obviously, at some point upstream will not be interested in releasing outdated patch-level updates. Hopefully that interest expires long after the distro is interested in providing security updates. But if not, then they can do their patching thing. It just seems to me that patching should be the last resort rather than the first response.