[Pkg-phototools-devel] Bug#1002876: darktable: embeds libraw

David Bremner bremner at debian.org
Thu Dec 30 18:41:27 GMT 2021


Package: darktable
Version: 3.8.0-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As of version 3.8.0, darkatable is again embedding libraw.  I decided
to open a new bug rather than reopen #682980, since the situation this
time is somewhat different, and I'm not sure anyone getting up to
speed on the bug is well served by reading the 100 or so previous
messages.

Previously (i.e. #682980), darktable was using a forked copy of libraw
(although the change was textually small).  Currently darktable is
using a git submodule of upstream libraw, which means that it is at least
possible in principle that upstream will release a sufficiently recent
version that we can build against it. Or I guess we could package a
git snapshot of libraw in Debian.

As far as I understand, the snapshot of libraw is needed for Canon CR3
support.

I guess the other thing that has changed since #682980 was closed is
that libraw acquired a number of CVEs.

Darktable already appears in the embedded copies list for libraw [1],
but I'm not sure if "modified-embed" is still the right term.


[1]: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
- -- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages darktable depends on:
ii  libc6                    2.33-1
ii  libcairo2                1.16.0-5
ii  libcolord-gtk1           0.1.26-2+b1
ii  libcolord2               1.4.5-3
ii  libcups2                 2.3.3op2-7
ii  libcurl3-gnutls          7.79.1-2
ii  libexiv2-27              0.27.3-3.1
ii  libgcc-s1                11.2.0-13
ii  libgdk-pixbuf-2.0-0      2.42.6+dfsg-2
ii  libglib2.0-0             2.70.2-1
ii  libgomp1                 11.2.0-13
ii  libgphoto2-6             2.5.27-1
ii  libgphoto2-port12        2.5.27-1
ii  libgraphicsmagick-q16-3  1.4+really1.3.37-1
ii  libgtk-3-0               3.24.31-1
ii  libicu67                 67.1-7
ii  libilmbase25             2.5.7-2
ii  libjpeg62-turbo          1:2.1.2-1
ii  libjson-glib-1.0-0       1.6.6-1
ii  liblcms2-2               2.12~rc1-2
ii  liblensfun1              0.3.2-6
ii  libopenexr25             2.5.7-1
ii  libopenjp2-7             2.4.0-3
ii  libosmgpsmap-1.0-1       1.2.0-1
ii  libpango-1.0-0           1.48.10+ds1-1
ii  libpangocairo-1.0-0      1.48.10+ds1-1
ii  libpng16-16              1.6.37-3
ii  libpugixml1v5            1.11.4-1
ii  librsvg2-2               2.50.7+dfsg-2
ii  libsecret-1-0            0.20.4-2
ii  libsoup2.4-1             2.74.2-3
ii  libsqlite3-0             3.36.0-2
ii  libstdc++6               11.2.0-13
ii  libtiff5                 4.3.0-2
ii  libwebp6                 0.6.1-2.1
ii  libx11-6                 2:1.7.2-2+b1
ii  libxml2                  2.9.12+dfsg-5+b1
ii  libxrandr2               2:1.5.2-1
ii  zlib1g                   1:1.2.11.dfsg-2

darktable recommends no packages.

darktable suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAmHN/VYACgkQA0U5G1Wq
FSHOnw/+J+O8sR5k+UBBjLLf01STow0Sz8bX+yiSjLTf9p/XYHsFP0t0Ov7iFCco
Po+2lprkIuotFo+9114yc5rDgE8MKLctTM98CN6YbM5tMRTtTqUdQFhnty8T+qLO
tGlcozdHftzIT9nOKaAPWAVqS0uKNfFVGksHLQIDSJeIBSfn7sZiwYzHyNeXNIft
aaEOtrCp8adWq6L2QhIYqSY1C2rfvE41hG/FTkBNkAUB36sdOiBpGy+MRPmxxd3E
k/KIP70EBzY0SPdYEAPjE1uMpB8gnNBa8c5A1YDGUzwWfMxx9RYVkIkPvL/PS8uu
OzkOc7sWnfZnzhdC6rhLEXxpwTB2GlNxXfrqRd++4c9pLT8rEEJHcmQsxl+NYIpK
zV0gRI54TAbsAcLIltoJHDrERruBvgi4GkCQismRFQyvSCn1iECBbvYyiKcOMA+1
iEwPLWaEkJgNlO4ek2IruerSDcP7x2eFgFhWZliQPf+Rm+plbM79arJBVlpRonMf
QaELwCsuCgOIXszLV4zg+POBO3hdwNQ1qnUDXyx8OxmWMXeuGDZQB/AlYyMbKv6x
Nj8Mk1Tmh7lYE5luBJShw1rdXA5mPd1XFb+3UkNZIeM7WKwMGEeTafxIIyz/fBb0
ULDzzmAD13Uz/7Ufk0laGEAishuvIkZ+jXB0EqhkxkX0IisBj6Y=
=zxHR
-----END PGP SIGNATURE-----



More information about the Pkg-phototools-devel mailing list