-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is a new release happening soon? #2406
Comments
I'd like to add to this a bit of feedback on having actionable vulnerability reports. Regarding the 6 recently released CVEs: https://nvd.nist.gov/vuln/detail/CVE-2022-3717 For each of these the suggested course of action is patching, but not a single one of the indicated patches apply to the most recent stable release without significant alteration. Any such alteration would also be a rather blind process because the proof of concepts I could find for these issues don't seem to trigger v0.27.5, so it would be hard to verify that it's been fixed. It's possible these aren't triggering v0.27.5 because of a recent slightly mysterious refactor of the BMFF support that was done in August: 3456f30 which wasn't accompanied by any announcement. CVE-2022-3717 is of special note because I don't think it affected any versions outside that PR, so I'm not quite sure what the purpose of that was. So it's difficult for a distributor/user to know what to do now. If the answer is "run an unstable version" (which right now looks like it might be the only sensible option for shipping a safe exiv2), then you may as well make an immediate release because I guess at this point any QA criteria go out the window. |
After Robin retired from Exiv2, @nehaljwani kindly offered to take over release engineering. The transition is still relatively new and will take time to work smoothly. As far as I know, @nehaljwani doesn't follow the day-to-day posts but can be contacted by mentioning him. |
I will help @nehaljwani and anybody to make a release. I'm pleased to be retired and will not return to the project. I am happy to see Exiv2 move forward and will help when asked. Please email me if you need my help, as I have unsubscribed from Github notifications. |
@nehaljwani and I are meeting today (2022-11-12) on Google Meet to discuss this. All welcome. Robin/Nehal If you want an invitation, email me: at [email protected] |
The most important matter in this release is the scope and version. Choices:
I don't know the status of the 0.27-maintenance branch. If security fixes have to be back-ported to branch 0.27-maintenace, the work involved could be considerable. |
Hello everyone! Robin has shared with me the steps involved in cutting a release. IIUC, the If @kevinbackhouse can confirm that the required security fixes are present in the 0.27-maintenance branch (or not needed because of irrelevance), we can proceed with a v0.27.6. As for a release from the main branch, I vote for v0.75.0. I invite @postscript-dev, @kmilos, @piponazo, @neheb to voice their opinion. I hope to cut the releases by the end of this month with the versions listed above if no concerns are raised. |
@nehaljwani I had a couple of thoughts on the release process. I recently spotted that files used when building the website are duplicated (e.g., https://github.com/Exiv2/exiv2/blob/main/doc/templates/Makefile and https://github.com/Exiv2/team/blob/main/website/Makefile). As far as I know, the Exiv2/team ones are not being kept up to date. There are some differences in Exiv2/Exiv2/docs/templates - particularly on the Also on the It is worth noting that the |
Hi everybody! For me it also sounds like a good plan to make 2 releases:
Whenever we think that |
Sorry, I haven't been paying to this issue. I'm quite angry to discover that a bunch of CVEs have been filed without consulting any of us. (I very much doubt it was done by anybody on the Exiv2 team, because we would have used GitHub Security advisories instead.) I haven't checked them all yet, but I'm pretty confident that all of those CVEs are bogus because they were introduced on the development branch ( We have a security policy which spells our very clearly that bugs on the main branch are not security bugs. Only bugs in official releases, such as v0.27.5 are potential security vulnerabilities. I have been paying attention to all the potential security issues and I'm pretty confident that none of the bugs found recently have been reproducible on the 0.27-maintenance branch. I will contact the CNA to dispute those CVEs and get them removed. |
Regarding a new release, I am in favor of doing it soon. I think we should do a v0.27.6 and I think it's time to do a v1.0.0 too. My own main goal for 1.0.0 was to replace all the uses of the |
WRT v1.0.0 I do hope Big Blue Red Hat lawyers will at least state in https://bugzilla.redhat.com/show_bug.cgi?id=1979565 that your camera means your data and no fooced shitware patents apply. |
Thanks for stepping up @nehaljwani 👍 If it plugs all the known security holes, I'm in favour of 0.27.6 asap, as it has some useful added functionality and bug fixes backported. Re the next version, I don't really care what it's called, as long it comes soonish as well (there are projects depending on exiv2 that are slowly starting to require at least C++17). One thing that needs to be sorted out though is the SO version mess (from that vantage point, I'm even ok w/ 0.28.0...) |
Those bogus CVEs have been rejected now. For example: https://nvd.nist.gov/vuln/detail/CVE-2022-3717 |
@nehaljwani |
Hello @postscript-dev , Please let me know, If I need to fix or add somthing else ? |
@mohamedchebbii |
The video support has been merged. Since it's a major feature, maybe the next release should be 0.28.0? It would be great to be able to get it out there. We're stuck on an outdated version of exiv2 (the last one with video support before it was removed), and are really looking forward to upgrading soon 😄 Thanks to @mohamedchebbii for all the great work on that feature and thanks to @piponazo for the reviews! |
As I just commented in #2450, I would like to roll back the recently merged video support until it has been better tested. I think Exiv2 was in very good shape before those PRs were merged, so my suggestion is that we start preparing 0.27.6 and 1.0.0 releases based on the state of the code as it was on 2022-12-30. |
@nehaljwani |
According to https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/setlocale-wsetlocale?view=msvc-170 , prior Windows versions can be supported if libc is statically linked. |
Exiv2 v0.27.6 2023-01-18
Exiv2 v0.27.6 Acknowledgements According to
Exiv2 v0.27.6 Release Notes (updated 2023-01-16)
If I've failed to acknowledge anyone's contribution, I apologize. Please let me know and I'll update this comment. |
Thanks! @nehaljwani Since this is also driven by security needs, maybe it's worth listing what CVEs have been plugged in the release notes as well? @kevinbackhouse |
No new CVEs in this release. All known security bugs were caught during development and never made it into an official release. |
I just re-read your response a while back - so no valid CVEs against 0.27.5, and the release notes look good then. 👍 |
Dear folks, Exiv2 v0.27.6 has been released!
I'll start working on the Please raise concerns, if any. |
See again #2406 (comment) |
Do you plan to add a |
@nehaljwani |
I disagree - main has been in a bad state for a while, best to address it. |
Sure, but if we're going with 0.28.0, we don't need to block cutting a release on fixing |
Merged now 😉 |
1 dot zero/eu |
It looks like 0.28.0 is the leader. Shall we cut the release as 0.28.0 then @nehaljwani? |
@nehaljwani PLEASE release a new release with the auto_ptr to unique_ptr changes ASAP. My project is now converted to C++20 and I cannot use 27.6 . My only other option would be to DL nightly build and I am very wary of doing that. If the code is considered stable enough for other projects to rely on, I suggest you move to 1.1.0 (Version 1 Release 1 Mod level 0) release not 0.28.0 Thanks |
Better to avoid .0 release. 1.1.0 w/ BMFF & video. |
Don't you mean the only thing to be done after fixing the bugs I reported ... David |
Please be more polite to the developers. |
I don't see that what I said was impolite - maybe it came over like that? If so I apologise. However at least one issue I reported meant the code wouldn't link on Windows 11 |
Found an issue on big endian with the new video code. I don't think it's a big enough issue to hold back any release. |
Good find. I agree it should not be a blocker as most users will be little endian and it's not a regression since it's in new functionality. |
Can issue #2206 be considered.? Thanks! |
Exiv2 v0.28.0 2023-05-08 Acknowledgements According to
Release Notes
I've tried to categorize commits based on relevance to the closest group. If I've failed to acknowledge anyone's contribution, I apologize. Please let me know and I'll update this comment. I'll attempt to cut a release based on the state of votes at #2406 (comment), on the weekend following Cinco De Mayo. Please go through the changelog (maybe it will make you reconsider your vote 😉) . |
@piponazo @hassec Could you please cast your vote in #2406 (comment) as well? |
Exiv2 v0.28.0 has been released. |
Thanks @nehaljwani! |
Yes, thank you @nehaljwani! I'm so appreciative!! |
No short list of changes found, long version here: Exiv2/exiv2#2406 (comment)
https://build.opensuse.org/request/show/1096176 by user dirkmueller + dimstar_suse - add a x86-64-v3 build, remove 32bit build (not used) - drop old C++ standard hack (patched line dropped in 0.28) - use g++-11 for Leap 15 builds (fix for failed std::filesystem check) - update to 0.28.0: - long list of improvements and security fixes, see Exiv2/exiv2#2406 (comment) - drop always-use-signed-char-for-conversion.patch (code no longer exists) - drop CVE-2022-3953.patch (merged upstream) - drop xml-static subpackage, cannot be built from shared builds anymore and appears to be unused
digiKam 8.1.0 - Release date: 2023-07-09 NEW FEATURES: Print Creator: Add 4 new templates for 6.8 inchs photo paper. General : Improve usability of Image Properties sidebar tab. Libraw : Update to snapshot 2023-05-14 Bundles : Update Exiv2 to last 0.28 release: Exiv2/exiv2#2406 (comment) Bundles : Update KF5 framework to last 5.106 Bundles : Includes Breeze widgets style in MacOS package to render properly GUI contents. Tags : Add possibility to remove all face tags from selected items. Tags : Add possibility to remove all tags from selected items except face tags. AND LOTS OF BUGFIXES.
Release notes: - [0.27.7](Exiv2/exiv2#2567 (comment)) - [0.27.6](Exiv2/exiv2#2406 (comment)) Signed-off-by: Reilly Brogan <[email protected]>
exiv2 has currently some medium to high opne CVEs in the latest release (like this 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-3717 ) which should be patched rather quickly in distros and software distributions. Normally applying a patch for the fixes is rather easy but because of the big formatting patches (see https://github.com/Exiv2/exiv2/blob/main/.git-blame-ignore-revs) the patches/commits no longer apply on the latest release.
Are there any plans for a new release in the new future? If a release is far in the future maybe the patches could be rebased on the latest release and a new security fixes only release could be done?
The text was updated successfully, but these errors were encountered: