please demote exiv2 to universe

Bug #1706471 reported by Seth Arnold on 2017-07-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exiv2 (Ubuntu)

Bug Description


Please consider demoting exiv2 to universe.

The upstream author appears overwhelmed with the task of hardening exiv2 for use against untrusted inputs and thus far (~nine months) no users have provided the project with patches against known issues.

$ reverse-depends -c main -r artful src:exiv2
* libgexiv2-2 (for libexiv2-14)
* libgexiv2-dev (for libexiv2-dev)


description: updated
Jeremy Bicha (jbicha) wrote :

shotwell depends on libgexiv2-2 which depends on libexiv2-14

So, um how would you fix that?

Changed in exiv2 (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold) wrote :

I certainly hope that shotwell's dependency can be disabled at build time.


Jeremy Bicha (jbicha) wrote :

shotwell doesn't build without libgexiv2-dev.

I assume you're aware that showing Exif information is very useful for a photo app. Are there any other libraries you suggest instead of exiv2?

Please discuss your concerns with the shotwell and gexiv2 maintainer - I believe they are the same person. :)

Seth Arnold (seth-arnold) wrote :

I'm not saying it's not useful. The point is that the library that we're
using for Exif metadata is unsuited for use on a modern desktop operating
system or server connected to the Internet.

The maintainer doesn't want to put in the work to take it from a fun
hobby to a production-grade tool. I can understand that, and I'm even
sympathetic that it was used more widely than it should have been. That's
not his fault.

But we have millions of users who expect us to protect them against
drive-by downloads that own their desktops and server administrators
who expect to use the tools we provide to build safe services for their
users in turn.

Ideally shotwell would be able to degrade service gracefully until someone
cares enough to write a safe Exif library. Less ideal would be to demote
shotwell until this is addressed.


Jeremy Bicha (jbicha) wrote :

Yes, but could you file a bug or whatever upstream?

Also, you should probably talk to the Desktop team about your concerns before asking the Archive Admins to demote a Desktop package.

Jeremy Bicha (jbicha) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Seth Arnold (seth-arnold) wrote :

Good idea Jeremy; (heh, launchpad called it 'exiv2' when I linked them together. Oh well.)


Jeremy Bicha (jbicha) wrote :

Thank you!

affects: exiv2 → gexiv2
Changed in exiv2 (Ubuntu):
status: Incomplete → Triaged
Changed in gexiv2:
importance: Unknown → Medium
status: Unknown → Confirmed
Adam Conrad (adconrad) wrote :

Unsubscribing ~ubuntu-archive, this is up to the desktop team to choose to remove from their seeds and, if they do, our magic reports will tell us to demote, we don't need a bug for that.

Changed in gexiv2:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.