Is a new release happening soon?

[SuperSandro2000]

exiv2 has currently some medium to high opne CVEs in the latest release (like this 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-3717 ) which should be patched rather quickly in distros and software distributions. Normally applying a patch for the fixes is rather easy but because of the big formatting patches (see https://github.com/Exiv2/exiv2/blob/main/.git-blame-ignore-revs) the patches/commits no longer apply on the latest release.

Are there any plans for a new release in the new future? If a release is far in the future maybe the patches could be rebased on the latest release and a new security fixes only release could be done?

[risicle]

I'd like to add to this a bit of feedback on having actionable vulnerability reports. Regarding the 6 recently released CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2022-3717
https://nvd.nist.gov/vuln/detail/CVE-2022-3718
https://nvd.nist.gov/vuln/detail/CVE-2022-3719
https://nvd.nist.gov/vuln/detail/CVE-2022-3755
https://nvd.nist.gov/vuln/detail/CVE-2022-3756
https://nvd.nist.gov/vuln/detail/CVE-2022-3757

For each of these the suggested course of action is patching, but not a single one of the indicated patches apply to the most recent stable release without significant alteration. Any such alteration would also be a rather blind process because the proof of concepts I could find for these issues don't seem to trigger v0.27.5, so it would be hard to verify that it's been fixed.

It's possible these aren't triggering v0.27.5 because of a recent slightly mysterious refactor of the BMFF support that was done in August: 3456f30 which wasn't accompanied by any announcement.

CVE-2022-3717 is of special note because I don't think it affected any versions outside that PR, so I'm not quite sure what the purpose of that was.

So it's difficult for a distributor/user to know what to do now. If the answer is "run an unstable version" (which right now looks like it might be the only sensible option for shipping a safe exiv2), then you may as well make an immediate release because I guess at this point any QA criteria go out the window.

[postscript-dev]

Are there any plans for a new release in the new future?

After Robin retired from Exiv2, @nehaljwani kindly offered to take over release engineering. The transition is still relatively new and will take time to work smoothly.

As far as I know, @nehaljwani doesn't follow the day-to-day posts but can be contacted by mentioning him.

[clanmills]

I will help @nehaljwani and anybody to make a release. I'm pleased to be retired and will not return to the project. I am happy to see Exiv2 move forward and will help when asked.

Please email me if you need my help, as I have unsubscribed from Github notifications.

[clanmills]

@nehaljwani and I are meeting today (2022-11-12) on Google Meet to discuss this. All welcome.

Robin/Nehal
Saturday, 12 November · 14:00 – 15:00 UTC
Google Meet joining info
Video call link: https://meet.google.com/mfk-zpii-gic

If you want an invitation, email me: at robinwmills@gmail.com

[clanmills]

The most important matter in this release is the scope and version. Choices:

1. Release 'main' as version 0.28.0 (or possibly 0.90.0 to make it very clear that this is not a simple successor to 0.27)
2. Release 'main' as version 1.00.0 (I don't think 'main' is v1.00.0)
3. Patch v0.27.5 with the security fixes and release v0.27.6

I don't know the status of the 0.27-maintenance branch. If security fixes have to be back-ported to branch 0.27-maintenace, the work involved could be considerable.

[nehaljwani]

Hello everyone! Robin has shared with me the steps involved in cutting a release.

IIUC, the main branch diverged from 0.27-maintenance right after 0.27.4 with this commit.

If @kevinbackhouse can confirm that the required security fixes are present in the 0.27-maintenance branch (or not needed because of irrelevance), we can proceed with a v0.27.6. As for a release from the main branch, I vote for v0.75.0.

I invite @postscript-dev, @kmilos, @piponazo, @neheb to voice their opinion.

I hope to cut the releases by the end of this month with the versions listed above if no concerns are raised.

[postscript-dev]

@nehaljwani
Thanks for taking the time to work on this. As I build from source, the new release doesn't affect me much.

I had a couple of thoughts on the release process.

I recently spotted that files used when building the website are duplicated (e.g., https://github.com/Exiv2/exiv2/blob/main/doc/templates/Makefile and https://github.com/Exiv2/team/blob/main/website/Makefile). As far as I know, the Exiv2/team ones are not being kept up to date. There are some differences in Exiv2/Exiv2/docs/templates - particularly on the main branch.

Also on the main branch, the manpage has changed to markdown format (i.e.Exiv2/Exiv2/man/man1/exiv2.1 to Exiv2/Exiv2/exiv2.md). As a result, it wont be automatically added to https://exiv2.org/manpage.html. The manpage text may also need minor reformatting to fit any line limits used by the postscript file. If you need help with the manpage text, then let me know.

It is worth noting that the main branch has diverged a LOT from the commit that you named. For 0.75.0 , apart from the size of the release notes, there could be other minor changes needed to the release process. As a release is needed, perhaps it would be better to complete 0.27.6 first and then work on 0.75.0 after.

[piponazo]

Hi everybody!
I have not been able to contribute much to the project lately, but I still keep to keep an eye on what's going on and deal with the CI problems when it is needed. Since winter is coming and is full of terrors, I will probably show up more here 😄 .

For me it also sounds like a good plan to make 2 releases:

• 0.27.6
• 0.28 or 0.75 (I do not have a strong preference for or or the other)

Whenever we think that main is in a state mature enough we can think about 1.0.

[kevinbackhouse]

Sorry, I haven't been paying to this issue. I'm quite angry to discover that a bunch of CVEs have been filed without consulting any of us. (I very much doubt it was done by anybody on the Exiv2 team, because we would have used GitHub Security advisories instead.) I haven't checked them all yet, but I'm pretty confident that all of those CVEs are bogus because they were introduced on the development branch (main) and fixed within a few weeks. As an example, CVE-2022-3717, which is cited as the main example in this issue, was fixed as the 8th commit in #2381, so it never even got merged into the main branch.

We have a security policy which spells our very clearly that bugs on the main branch are not security bugs. Only bugs in official releases, such as v0.27.5 are potential security vulnerabilities. I have been paying attention to all the potential security issues and I'm pretty confident that none of the bugs found recently have been reproducible on the 0.27-maintenance branch.

I will contact the CNA to dispute those CVEs and get them removed.

[kevinbackhouse]

Regarding a new release, I am in favor of doing it soon. I think we should do a v0.27.6 and I think it's time to do a v1.0.0 too. My own main goal for 1.0.0 was to replace all the uses of the long type with something more appropriate, such as size_t. I think that's mostly done - I think there are still some uses in some of the .cpp files, but the header files are mostly clean now so the remaining problems can be fixed without affecting the public API.

[1div0]

WRT v1.0.0 I do hope Big Blue Red Hat lawyers will at least state in https://bugzilla.redhat.com/show_bug.cgi?id=1979565 that your camera means your data and no fooced shitware patents apply.

[kmilos]

Thanks for stepping up @nehaljwani 👍

If it plugs all the known security holes, I'm in favour of 0.27.6 asap, as it has some useful added functionality and bug fixes backported.

Re the next version, I don't really care what it's called, as long it comes soonish as well (there are projects depending on exiv2 that are slowly starting to require at least C++17). One thing that needs to be sorted out though is the SO version mess (from that vantage point, I'm even ok w/ 0.28.0...)

[kevinbackhouse]

Those bogus CVEs have been rejected now. For example: https://nvd.nist.gov/vuln/detail/CVE-2022-3717

[postscript-dev]

@nehaljwani
Support for video was removed from the main branch however, some users requested this to be restored. @mohamedchebbii has worked hard to recover and modernise the code to be compatible with C++17. It would be good to include this in the new main release, if possible. @mohamedchebbii, how close is your work to being merged?