gallery2 outstanding security bugs -- Abondoned by Berninger?
Tom Lane
tgl at redhat.com
Thu Dec 11 23:31:47 UTC 2008
"Jon Ciesla" <limb at jcomserv.net> writes:
>> (Yes, I know libjpeg upstream is kinda moribund, but if you want new
>> features in it you should be trying to revive upstream development,
>> not strongarm the Fedora package maintainer to take over development.)
> I agree strongly with that principle. Two questions:
> A. What has been done thusfar WTR reviving upstream development?
Well, at one point I had more or less formally blessed Guido Vollbeding
as the new lead maintainer, but if he's actually put out a release I
haven't heard about it :-(. You could try bugging the people associated
with the sourceforge libjpeg project.
> B. In the meantime, how should I support jpegtran? Bundle a custom binary
> in the subpackage and patch the module, or let it sit with known partial
> functionality?
The right fix would be to pester upstream to not depend on nonstandard
functionality, but with no active upstream on that side either, I'm not
sure what you do about it :-(. How critical is that particular
functionality to gallery2, anyway? If you could just dike it out that
would seem to be an appropriate short-term fix.
> On a tangential note IIRC this patch is in Debian's libjpeg, not that that
> should be any sort of guideline for us, I'm just putting it out there.
Yeah, Debian seems to have no qualms about carrying big patches without
any upstream connection ...
regards, tom lane
More information about the fedora-devel-list
mailing list