[Webkit-unassigned] [Bug 248185] New: libavif should live under Source/ThirdParty, not under PAL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Nov 21 12:04:27 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=248185
Bug ID: 248185
Summary: libavif should live under Source/ThirdParty, not under
PAL
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
Since 255797 at main libavif is now bundled to provide AVIF decoding. Unfortunately, it was imported under Source/WebCore/PAL/libavif rather than Source/ThirdParty. It's important to keep all bundled code under Source/ThirdParty so that we can easily keep track of it, see when the code has been last updated, decide whether to include or exclude it from release tarballs, and ensure it's properly tracked in downstream metadata. Having bundled sources in multiple locations is going to make this very difficult, especially for people unfamiliar with WebKit. Example problem that has already occurred: it's accidentally included in the WebKitGTK 2.39.1 release tarballs. Had I not noticed it due to luck, it would have resulted in violation of security policy for downstream distributions that requires metadata for tracking bundled libraries. There's no way that product security organizations can properly react to a libavif vulnerability without metadata to know that it's there, but we didn't announce that we put it there, because how to know about it when it's in a random place? Whereas if it were under Source/ThirdParty, then it would have been automatically excluded from releases unless a human decided to allowlist it. Also, we can periodically check to see that everything there is kept is reasonably up to date.
So we should move libavif to Source/ThirdParty. Unfortunately, there's not much I can do to help with fixing this. Since this requires editing XCode build files, this move really has to be handled by Apple developers or someone familiar with XCode development.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221121/c6ddbbb2/attachment.htm>
More information about the webkit-unassigned
mailing list