On 02/05/16 17:52, "Development on behalf of Thiago Macieira" <development-bounces+lars.knoll=qt...@qt-project.org on behalf of thiago.macie...@intel.com> wrote:
>On segunda-feira, 2 de maio de 2016 10:46:53 PDT Lars Knoll wrote: >> Well, on Linux these libraries are nicely available on the system. But it >> does not help us on Windows, where we do have to ship these libraries if we >> want to provide something that's easy to use for our users/customers. > >Let me question that: do we want to provide something easy which is a >potential security hole? Even if we upgrade libtiff to the latest that fixes >all issues, there will be more. How are we dealing with CVEs from our bundled >third party, especially those that end up in our binaries? How are our users >and your customers? I agree that we need to figure out how to handle this. I'm just pointing out that simply removing lots of functionality might not the right answer neither. > >> So while I don't like us having copies of these libraries in our >> repositories, not shipping any support for these image formats in our >> packages is not a good option neither. > >I kinda disagree. I would prefer an opt-in for those poeple. That's of course an option, but if the opt-in means 'download libtiff yourself, figure out how to compile it, then recompile qtimageformats', we have a very user-unfriendly way of solving the problem. > >> No, there's currently no option to limit the image formats that are being >> loaded apart from not shipping the plugin. > >Aside from not including it. How are the qtimageformats packaged in our >binaries? Are they installed automatically? Currently they are automatically installed. Cheers, Lars _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
