gallery2 outstanding security bugs -- Abondoned by Berninger?

Jon Ciesla limb at jcomserv.net
Thu Dec 18 19:21:16 UTC 2008 

> On Thu, Dec 18, 2008 at 10:23 AM, Jon Ciesla <limb at jcomserv.net> wrote:
>>
>>> Jon Ciesla wrote:
>>>>> "Jon Ciesla" <limb at jcomserv.net> writes:
>>>>>>> (Yes, I know libjpeg upstream is kinda moribund, but if you want
>>>>>>> new
>>>>>>> features in it you should be trying to revive upstream development,
>>>>>>> not strongarm the Fedora package maintainer to take over
>>>>>>> development.)
>>>>>> I agree strongly with that principle.  Two questions:
>>>>>> A. What has been done thusfar WTR reviving upstream development?
>>>>> Well, at one point I had more or less formally blessed Guido
>>>>> Vollbeding
>>>>> as the new lead maintainer, but if he's actually put out a release I
>>>>> haven't heard about it :-(.  You could try bugging the people
>>>>> associated
>>>>> with the sourceforge libjpeg project.
>>>>
>>>> CCing them.  libjpeg SourceForge team, what is the current status of
>>>> libjpeg development?
>>>
>>> Jon,
>>>
>>> I have heard nothing in some time from Guido, and I'm not aware of him
>>> producing any sort of libjpeg release.
>>>
>>> I find the situation somewhat frustrating.
>>
>> Agreed.  So what's next?  Is there a plan for further action, a new
>> primary maintainer, etc?
>
> There was a fork on freedesktop.org for a while that was eventually
> removed because the new maintainers were unresponsive.
>
> http://www.clearchain.com/blog/posts/project-libjpeg-shutdown
>
> If you could convince them that you would actually maintain it, they
> might be receptive to reviving it.

What about simply keeping it on Sourceforge?  Don't one of you have admin
access to the project there?  I have a SF account currently.

As far as bringing libjpeg current, I'm not sure the task would be as
herculean as it sounds, activities at fd.o hotwithstanding, not sure what
that's about.

State of things as I see them:

1 libjpeg bug in RH/Fedora land.

1 libjpeg bug in Debian. CCing debian libjpeg62 maintainer.

None in Gentoo.  Not sure where OpenSUSE bugs live.  Not sure what other
distros to loop into this.

What it looks like needs to be done is an examination of the patches used
in the above distros, and a discussion over these among the distro
maintainers and $_libjpeg_upstream_designee, leading to integration of
those most commonly used in the distros.

Does this sound sane?

> --
> Dan
>


-- 
in your fear, speak only peace
in your fear, seek only love

-d. bowie

More information about the devel mailing list