2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.09.04 07:47 "Re: [Tiff] Some security fixes from RHEL", by Ron

On Wed, Sep 03, 2008 at 06:31:33PM -0500, Bob Friesenhahn wrote:

My impression was 3.9 was supposed to be a stopgap with important fixes while 4.0 had some more time to shake out any remaining issues with BigTIFF.

I am not currently aware of any remaining issues related to BigTIFF in 4.0. If there are any known, please report them to the libtiff bug tracker.

I'm not aware of any either, I just recalled that the last time I saw the question of when to release 4.0 come up, the general consensus seemed to be to encourage some further testing before making a decision.

I assume that Debian is doing its part and testing the libtiff 4.0.0 pre-releases with various key applications to make sure that there are no libtiff interface issues before it is too late to elegantly fix them.

I don't believe we have 4.0 packages available anywhere yet (or at least I don't know where they are if we do, they aren't in the usual places).

We're in a bit of a sticky spot this week anyhow, the Lenny release freeze is nearly over, which has two implications for this discussion. One is, this means 3.9 has probably missed the boat for that except as a backport now anyhow. We're really only letting release critical fixes propagate to stable at this stage, and people are frowning on extensive changes that are unrelated to fixing such issues.

The better news is, the freeze is nearly over. So once Lenny is out, (which could be this month), we actually are really well positioned to get some serious torture testing happening for you again. There is an experimental archive, where this could have been put before now, but the reality is its number of users compared with the more stable releases are probably on a similar proportion to what you might expect for libtiff 3.8 compared to 4.0... so it's not the greatest proving ground. Mostly its a place for people to stage things for a few core testers and developers.

So I guess the question of 'what is the purpose of 3.9' has changed quite a bit now since my last impression formed... If 4.0 includes everything that it does, and is a complete (but not necessarily a 'drop in') replacement for 3.8, then perhaps Debian should just skip 3.9 and introduce 4.0 to Sid right after Lenny leaves home.

The timing for that is probably pretty close to ideal. 4.0 would get a whole cycle of testing from lots of users who all accept the 'no warranty' clause quite explicitly, and the app maintainers would have plenty of time to transition. We'd have a large window where if any trouble were found that meant ABI/API modifications were required for some use, there'd be more freedom to make them (we'd just need an soname bump if that really happens).

At some point the folks here can decide the adoption is high enough and bug reports few enough to freeze the 4.0 interface for good, and that has a good chance of happening well before the next stable freeze for Debian starts to change the rules about what to accept once again.

That's not to say there might not still be people who'd like to see a 3.9 release. But as to what to push into Debian next, maybe 4.0 is the serious contender we should look at and 3.9 can be unconstrained by us.

What do people think?

Ron