On segunda-feira, 2 de maio de 2016 18:07:29 PDT Lars Knoll wrote: > >> So while I don't like us having copies of these libraries in our > >> repositories, not shipping any support for these image formats in our > >> packages is not a good option neither. > > > >I kinda disagree. I would prefer an opt-in for those poeple. > > That's of course an option, but if the opt-in means 'download libtiff > yourself, figure out how to compile it, then recompile qtimageformats', we > have a very user-unfriendly way of solving the problem.
> >Aside from not including it. How are the qtimageformats packaged in our > >binaries? Are they installed automatically? > > Currently they are automatically installed. At the very least we should not automatically install it. We can provide the binaries for opt-in installation for those who want/need it, with the appropriate warning that they need to follow the security bulletins. In fact, we should have an installer page showing all the bundled third-party libraries and let people know that they're there for convenience only and it's their responsibility to follow security bulletins for those pieces of software. We will upgrade only on our own releases and we will not provide security updates in-between. But we should provide security updates on EVERY release. That means we need to follow the CVEs for every piece of bundled third-party software, be it source or binary form, and apply patches that may be necessary. In time, the following CVEs are outstanding for libtiff as of version 4.0.6. CVE-2014-9655 CVE-2015-1547 CVE-2015-8665 CVE-2015-8683 CVE-2015-7554 CVE-2015-8668 -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
