On Wed, Apr 10, 2024 at 10:08:51PM +0200, Ola Lundqvist wrote: > Hi all Hi Ola,
> Sorry for late reply. It took me too long today to answer the CVE > triaging discussion. Now to this issue. > > Regarding the fedora patches. The patches seem to help for those > specific issues they solve. > > My intention for claiming the package was to go through the CVEs and > mark them with postponed or similar. > When I'm done with that maybe I will start to fix things, but I > claimed it just to avoid double work when going through the issues. > > I'll start with that now and I hope I can release the package when I'm > done with that. I'll re-claim it when/if I think they are worth > fixing. > > What is clear after checking all reverse dependencies is that all > software packages using freeimage library are of the "tool" type. You > run it with human interaction and the user using the tool should know > the input. This reduces the severity of the problems. your claims cannot be trusted. It might even be technically true that an Image Viewer for a Desktop Environment is a "tool" that "runs with human interaction", but "the user using the tool should know the input" is an absurd claim. Please correct me if I am wrong, but as far as I can see the last time you have published a DLA or ELA was 4 years ago. Your non-involvement in actual work likely explains why you have so many questions, and why you make suggestions without practical relevance. Your non-involvement in actual work likely explains some of your many mistakes when touching CVE metadata and dla-needed. Your game of claiming packages in dla-needed and then doing whatever it takes to "handle" them while doing zero actual work might cause serious harm. > Cheers > > // Ola cu Adrian
