Re: How to handle freeimage package
Hi all
Sorry for late reply. It took me too long today to answer the CVE
triaging discussion. Now to this issue.
Regarding the fedora patches. The patches seem to help for those
specific issues they solve.
My intention for claiming the package was to go through the CVEs and
mark them with postponed or similar.
When I'm done with that maybe I will start to fix things, but I
claimed it just to avoid double work when going through the issues.
I'll start with that now and I hope I can release the package when I'm
done with that. I'll re-claim it when/if I think they are worth
fixing.
What is clear after checking all reverse dependencies is that all
software packages using freeimage library are of the "tool" type. You
run it with human interaction and the user using the tool should know
the input. This reduces the severity of the problems.
Cheers
// Ola
On Wed, 10 Apr 2024 at 19:23, Roberto C. Sánchez <roberto@debian.org> wrote:
>
> On Wed, Apr 10, 2024 at 08:08:07PM +0300, Adrian Bunk wrote:
> >
> > My point was that an opposite approach of doing only
> > "file upstream bugs and wait for upstream to fix the CVEs"
> > is unlikely to have a positive outcome in this case.
> >
> > Forwarding fixes upstream is of course desirable,
> > even when upstream is dead.
> >
> Ah, thanks for the clarification.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: