Re: About the security issues affecting dcraw/ufraw/libraw/rawtherapee/rawstudio/exactimage/freeimage in Squeeze

[David Bremner <david@tethera.net>]

Holger Levsen <holger@layer-acht.org> writes:

> (mostly using darkstar as an example. I don't event know that package - but I 
> noticed that I decided not to care much about my squeeze-backports anymore (eg 
> not to backport piuparts) while realizing I'd still do security fixes.)

darktable is probably a good example of a package where even security
support doesn't make much sense.

- The code is changing very quickly to support new camera hardware;
  upstream already considers the version in Jessie obsolete.

- It's consumer/desktop code. I guess there's no server infrastructure
  depending on photo editing software. I'm just not that sympathetic to
  the individual user who hasn't upgraded from squeeze.

- The software is quite demanding; essentially it is barely functional
  on 32 bit machines because of memory demands. So I doubt very much
  there are many people running it on old computers.

- The development version (for stretch) will actually be more secure,
  since it eliminates libraw, a constant source of CVEs.

My expectation when uploading a backport is to support it until the next
stable release. Sorry LTS people, but in this case your itch is not my
itch. If that's wrong, please let me know, and I'll think very carefully
about what I backport in the future.