Re: Dropping 'fringe' pixbuf loaders

From: Matthias Clasen <matthias clasen gmail com>
To: Cosimo Cecchi <cosimoc gnome org>
Cc: Owen Taylor <otaylor redhat com>, gtk-devel-list <gtk-devel-list gnome org>
Subject: Re: Dropping 'fringe' pixbuf loaders
Date: Mon, 21 Sep 2015 18:38:11 -0400

On Mon, Sep 21, 2015 at 5:10 PM, Cosimo Cecchi <cosimoc gnome org> wrote:

On Mon, Sep 21, 2015 at 1:01 PM, Owen Taylor <otaylor redhat com> wrote:
Do we trust this code or not? If not, we should either a) sandbox it or b) delete it.

Moving less-trusted loaders into a separate repo is a blame-the-user or blame-the-os-vendor move, depending on who installs them onto the system.

The only way to prevent the blame game you mention in a typical distribution where everything is installed through packages would be to stop supporting out of tree modules entirely, if I interpret your concern correctly.

My point is that as long as that's the case, at least maintaining them in a central location gives people an aggregation point for fixes.

But they are not being maintained by anybody, and the fixes have not been aggregating... every few years some security researchers decide to have a look at image loaders, and then we get a bunch of overflows and corruptions reported, and either me of Benjamin grudgingly fix them. And both of us are tired of doing that.

Follow-Ups:
- Re: Dropping 'fringe' pixbuf loaders
  - From: Bastien Nocera

References:
- Dropping 'fringe' pixbuf loaders
  - From: Matthias Clasen
- Re: Dropping 'fringe' pixbuf loaders
  - From: Cosimo Cecchi
- Re: Dropping 'fringe' pixbuf loaders
  - From: Owen Taylor
- Re: Dropping 'fringe' pixbuf loaders
  - From: Cosimo Cecchi

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]