On 12/30/25 3:26 AM, Roger Leigh via Tiff wrote:
Yet we suffer from a regular stream of CVEs due to their multiple quality issues.
How, exactly, is anybody actually suffering from any of the supposed CVEs that get pinned on the tools? The minute somebody points out actual suffering is the minute I will make sure to address issues promptly. I didn't write the tools, but the tools clearly weren't written with a perspective that the user would reasonably be feeding them randomized input both on the command-line as well as with the data. Furthermore, a good portion of the supposed CVEs that have been reported against the tools were actually issues in the library and not the tools. The tool was just the vector by which the researcher identified the issue in the library.
If by "suffer from" you mean "lament". Okay, sure. I get that. We'd all like this stuff to have been future-proof from the beginning. I've no argument there.
Do we really need to generate PostScript, over two decades after the whole world moved over to PDF?
Yes.
And also generate PDF at the same time?
Yes.
Does that really bring much value?
Yes.
Why are we doing either when there are better applications out there for generating PDFs?
I'm not sure what you intend to mean by "better". There may be other applications. And there may be yet other applications that could be developed. But when a specific tool becomes relied upon then the processes and applications that rely upon the tool have a dependency upon the tool. It's not necessarily "better" to just replace the tool with something else merely because someone out there identified a supposed flaw in the tool if it were used in a way that the application never uses it.
But for people like me (and likely yourself) whose primary use of libtiff is to link it into our applications, the tools are a complete distraction and an unproductive time sink.
It's okay that you don't like the tools. You don't have to like them. Nobody is asking you to like them. But to repeatedly claim in this forum that they're of absolutely no value merely because you don't see their value is frustrating when those of us who do see value in them have made our case and actually invested time and effort to remedy CVEs, etc.
I don't want to wade into the debate about C vs C++ (or Rust or whatever our favorite programming language is). But please leave your opinions about the tools out of this debate.
Lee. _______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
