Security Researchers and Exiv2 v0.27.4 RC3

I have good news and bad news here. Exiv2 v0.27.4 RC3 will be released on 2021-05-22. GM is expected on 2021-06-15.

The good news is the outstanding teamwork by Kev, Luis, Christoph, Milos and Alex to deal with CVEs raised against Exiv2. Exiv2 has not had a CVE/security report for 18 months.

The bad news is the behaviour of the Security Researchers. The first of the CVEs arrived late in the 3 week life of Exiv2 v0.27.4 RC2. Another couple of days, and Exiv2 v0.27.4 GM would have been released. Team Exiv2 delayed the release and will publish Exiv2 v0.27.4 RC3 on 2021-05-22 (the original schedule for GM).

I am very upset by the unprofessional behaviour of the Security Researchers. They have had 18 months when they could have reported those issues. They choose to report them at a time to cause maximum disruption to the release process and inconvenience to Team Exiv2. Security Researchers are not the Police. They, like the members of Team Exiv2, are members of the open-source community and I expect them to cooperate and work with projects in a respectful manner. Dumping high-profile bugs on a project at the end of the development cycle is very disruptive behaviour.


Thanks to the team for all the hard work!