[Pkg-gmagick-im-team] Would a backport of imagemagick be possible?

[Roberto C. Sánchez]

Security Team,

I have been working on imagemagick updates for jessie LTS.  According to
the Security Tracker it looks like there are more than 60 issues that
have been marked ignored or postponed for imagemagick both in jessie and
in stretch.

Another member of the LTS team (Markus Koschany) recommended that we
approach the Security Team about the possibility of backporting a more
recent imagemagick (specifically, the version in buster/sid).  In recent
months, backports of both graphicsmagick and ghostscript have been
brought into stretch from buster/sid in order to address a large number
of open security issues.

The effort required to individually addressed the 60+ ignored/postponed
issues would be considerable, while backporting a new upstream release
obviously carries the risk of breaking reverse dependencies.  That said,
I have done some preliminary exploration by attempting to build
imagemagick 8:6.9.10.23+dfsg-2 from buster/sid in both stretch and
jessie.  Both builds required minor adjustments (build dependencies like
g++ and debhelper) for older packages not available to each.  The
stretch build completed successfully, while the jessie build failed on
the dh_install call for imagemagick-6-doc.  I consider this a positive
result.

Before I proceed with any additional work I would like to know if the
Security team would be willing to consider accepting such a backport
into stretch.

If that is possible, I would also rebuild all reverse dependencies
(using ratt) to identify any breakage of those builds caused by the
update imagemagick.  Assuming all of that turns out well, I would then
perform something similar for jessie, but only after the backport makes
its way into stretch.

Please advise on whether I should continue along this path or abandon
it.

Regards,

-Roberto

-- 
Roberto C. Sánchez