-
2024.02.03 15:20 "Re: [Tiff] www.libtiff.org is restored", by Even Rouault
-
2024.02.03 16:15 "Re: [Tiff] www.libtiff.org is restored", by Bob Friesenhahn
- 2024.02.03 16:31 "Re: [Tiff] www.libtiff.org is restored", by Miguel Medalha
-
2024.02.03 23:21 "Re: [Tiff] www.libtiff.org is restored", by Patrice Fournier
- 2024.02.03 23:36 "Re: [Tiff] www.libtiff.org is restored", by Paul Hemmer
- 2024.02.04 13:59 "Re: [Tiff] www.libtiff.org is restored", by Bob Friesenhahn
- 2024.02.04 14:48 "Re: [Tiff] www.libtiff.org is restored", by Bob Friesenhahn
-
2024.02.03 16:15 "Re: [Tiff] www.libtiff.org is restored", by Bob Friesenhahn
- 2024.02.07 03:15 "Re: [Tiff] www.libtiff.org is restored", by Edward Lam
- 2024.03.15 18:34 "Re: [Tiff] libtiff | tiffcrop produces wrong output when 'raw' and 'rgb' parameters are used with jpeg compression (parameters have reverse effect) (#228)", by Miguel Medalha
- 2024.04.09 15:49 "[Tiff] www.libtiff.org is restored", by Michael Vetter
2024.04.09 16:39 "Re: [Tiff] www.libtiff.org is restored", by Lee Howard
Now "http://www.libtiff.org/" leads to the latest libtiff HTML pages, and the same server/directory which already provides "http://www.simplesystems.org/libtiff/".
With some differences though.
The biggest probably being that http://www.libtiff.org advertises a version 4.6.0t with all the tools restored. If I see it right it doesn't fix all the CVEs in those tools though.
Which CVEs have not been addressed? I was only instructed to address a specific list of bug reports. If the CVEs were not in those bug reports, then there may be others yet to address.
I believe this can be quite confusing to potential users of tiff. Wouldn't it have been better to first fix the CVEs and then create a new release? Or at least add a note/warning?
Yes, it was certainly confusing to have the tools suddenly removed from the 4.6.0 release.
The 4.6.0t changelog (http://libtiff.org/releases/v4.6.0t.html) doesn't give much insight either with entries like:
> Fix some issues in library found through fuzzing.
> Prevent some out-of-memory attacks.
The git logs are available from the git repositories. It's a lot to summarize in the ChangeLog in a productive way.
Maybe this helps the people who would like to bring the tools back and want to take the route of creating a separate tools package.
The tools shouldn't need to be brought back in the first place. But if you want to develop a separate tools package, then I don't object to it.
Thanks,
Lee.