Re: How to handle freeimage package
On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote:
> Hi all
Hi Ola,
> Sorry for late reply. It took me too long today to answer the CVE
> triaging discussion. Now to this issue.
>
> Regarding the fedora patches. The patches seem to help for those
> specific issues they solve.
>
> My intention for claiming the package was to go through the CVEs and
> mark them with postponed or similar.
> When I'm done with that maybe I will start to fix things, but I
> claimed it just to avoid double work when going through the issues.
>
> I'll start with that now and I hope I can release the package when I'm
> done with that. I'll re-claim it when/if I think they are worth
> fixing.
>
> What is clear after checking all reverse dependencies is that all
> software packages using freeimage library are of the "tool" type. You
> run it with human interaction and the user using the tool should know
> the input. This reduces the severity of the problems.
your claims cannot be trusted.
It might even be technically true that an Image Viewer for a
Desktop Environment is a "tool" that "runs with human interaction",
but "the user using the tool should know the input" is an absurd claim.
Please correct me if I am wrong, but as far as I can see the last time
you have published a DLA or ELA was 4 years ago.
Your non-involvement in actual work likely explains why you have so many
questions, and why you make suggestions without practical relevance.
Your non-involvement in actual work likely explains some of your many
mistakes when touching CVE metadata and dla-needed.
Your game of claiming packages in dla-needed and then doing whatever it
takes to "handle" them while doing zero actual work might cause serious
harm.
> Cheers
>
> // Ola
cu
Adrian
Reply to: