[Webkit-unassigned] [Bug 248185] New: libavif should live under Source/ThirdParty, not under PAL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 21 12:04:27 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=248185

            Bug ID: 248185
           Summary: libavif should live under Source/ThirdParty, not under
                    PAL
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org

Since 255797 at main libavif is now bundled to provide AVIF decoding. Unfortunately, it was imported under Source/WebCore/PAL/libavif rather than Source/ThirdParty. It's important to keep all bundled code under Source/ThirdParty so that we can easily keep track of it, see when the code has been last updated, decide whether to include or exclude it from release tarballs, and ensure it's properly tracked in downstream metadata. Having bundled sources in multiple locations is going to make this very difficult, especially for people unfamiliar with WebKit. Example problem that has already occurred: it's accidentally included in the WebKitGTK 2.39.1 release tarballs. Had I not noticed it due to luck, it would have resulted in violation of security policy for downstream distributions that requires metadata for tracking bundled libraries. There's no way that product security organizations can properly react to a libavif vulnerability without metadata to know that it's there, but we didn't announce that we put it there, because how to know about it when it's in a random place? Whereas if it were under Source/ThirdParty, then it would have been automatically excluded from releases unless a human decided to allowlist it. Also, we can periodically check to see that everything there is kept is reasonably up to date.

So we should move libavif to Source/ThirdParty. Unfortunately, there's not much I can do to help with fixing this. Since this requires editing XCode build files, this move really has to be handled by Apple developers or someone familiar with XCode development.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221121/c6ddbbb2/attachment.htm>

More information about the webkit-unassigned mailing list