Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 734284 - media-libs/jasper - a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard
Summary: media-libs/jasper - a free software-based reference implementation of the cod...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Default Assignee for New Packages
URL: https://www.ece.uvic.ca/~frodo/jasper/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-28 11:04 UTC by Michael Vetter
Modified: 2020-07-30 12:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vetter 2020-07-28 11:04:25 UTC
https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in https://github.com/jasper-software/jasper/issues/208#issue-463674791.

Now we were able to release 2.0.19 which fixes all known CVEs.

So I would suggest to add it back into the tree.
See https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128 for details

Reproducible: Always
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-07-28 15:07:59 UTC
(In reply to Michael Vetter from comment #0)
> https://bugs.gentoo.org/689784 removed jasper from the tree as I proposed in
> https://github.com/jasper-software/jasper/issues/208#issue-463674791.
> 
> Now we were able to release 2.0.19 which fixes all known CVEs.
> 
> So I would suggest to add it back into the tree.
> See
> https://github.com/jasper-software/jasper/issues/208#issuecomment-664945128
> for details
> 
> Reproducible: Always

I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues?

Would really hate to rinse and repeat this...
Comment 2 Michael Vetter 2020-07-28 19:02:37 UTC
> I didn't read the whole thread on GitHub, but how sustainable is this sudden surge of contributions to fix sec issues?

It's a long thread indeed.
The contributions are not sudden however. It was months of work until we got there.
A lot of fights too.

In between we forked the project, worked on it. And when we were ready to create a new release new discussions began.

In the end we could agree on things and 3 people have commit rights and maintain jasper together now. Before there was only one person.

So I would say chances are much better.

Also JasPer was not removed because it had one unfixed CVE but quite a few, for quite a long time. Now we fixed all of them (to my knowledge) and will try to improve some others things too.

I can't foretell the future but I hope it doesn't get so bad that we have to remove it again ;)