2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard

Would you like to review and apply the CVE-2008-2327 patches in 3.9 branch and cvs head (aka 4.0.0) as a first task?

It looks like Andrey has beat me to this, which is good, I wasn't going to be able to get to it until this weekend.

Now that those are applied I would like to call for a 3.9 release. If you insist on going the long route through beta-->release candidate-->release then this is fine, but I would be more happy to skip the "beta" phase at this point as many of us have been happily running 3.9beta for a long time (on production servers).

(And if we could keep the release candidate phase limited to a month unless a problem crops up, that would be nice, too.)

I'm not convinced this has been filed in Bugzilla yet, so you may have to do that yourself.

I'm happy to put things into Bugzilla that warrant discussion prior to committal or that will serve as a nice reference in the future to those who need to examine the details of the changes in such a manner. However, please understand that's a lot of work, and it's work that for the most part will go unused and is thus wasted. Once a bug is closed it is very rarely revisited. (However, open bugs are quite valuable.) In these security-fix cases I don't think that there's significant merit to that effort (the security announcements are documented elsewhere by others) other than reiteration of the security announcements. You'll notice that Andrey didn't file Bugzilla tickets before committal, and I would argue that it was appropriate.

Do you feel differently?

Thanks,

Lee.