Re: Dropping 'fringe' pixbuf loaders




On Mon, Sep 21, 2015 at 5:10 PM, Cosimo Cecchi <cosimoc gnome org> wrote:

On Mon, Sep 21, 2015 at 1:01 PM, Owen Taylor <otaylor redhat com> wrote:
Do we trust this code or not? If not, we should either a) sandbox it or b) delete it.

Moving less-trusted loaders into a separate repo is a blame-the-user or blame-the-os-vendor move, depending on who installs them onto the system.

The only way to prevent the blame game you mention in a typical distribution where everything is installed through packages would be to stop supporting out of tree modules entirely, if I interpret your concern correctly.

My point is that as long as that's the case, at least maintaining them in a central location gives people an aggregation point for fixes.

But they are not being maintained by anybody, and the fixes have not been aggregating... every few years some security researchers decide to have a look at image loaders, and then we get a bunch of overflows and corruptions reported, and either me of Benjamin grudgingly fix them. And both of us are tired of doing that.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]