2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.09.02 08:13 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane

Testing with randomly broken files would likely take months of an unpaid volunteer's time to produce the suitably broken files, diagnose the problems, and produce fixes to avoid misbehavior. Maybe it would take a year. A year without any income at all.

Actually, I don't think that the libtiff community needs to do that. There are lots of people pushing hard on the code already; for example the Apple security guy who found the LZW problem that started this whole thread. I can assure you that those folk are running random-input tests already.

What it falls to this community to do is to fix the code when problems are reported. That is within your special area of expertise; whereas finding vulnerabilities isn't particularly. *You* know this code, better than anyone else.

I'm encouraged by Lee's willingness to step up to the plate on getting security-related patches committed. But we also need some commitment on creating those patches in the first place.

regards, tom lane