Update request: freeimage unstable-2021-11-01 → unstable-2023-05-20

[kjeremy]

• Package name: freeimage
• Latest released version: unstable-2023-05-20 (r1909)

• Current version on the unstable channel: 2021-11-01
• Current version on the stable/release channel: 2021-11-01

• Checked the nixpkgs pull requests

Notify maintainers

@viric
@L-as

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[eclairevoyant]

#290949 (comment)
I don't think we're going to see much effort to update this, if anything, patching/updating anything that depends on it and removing it is more realistic

[L-as]

freeimage is probably full of many more security holes that are yet to be found, agree with above, but updating it probably isn't too hard if upstream hasn't changed much

[risicle]

Our position is that freeimage is unmaintainable.

The upstream updates since the version in nixpkgs are basically updates of the bundled libs, which we make made serious efforts to de-vendor and replace with nixpkgs-versions anyway, so probably wouldn't make any difference to the resulting package.

The vulnerabilities listed in knownVulnerabilities are largely in freeimage code and I don't see any signs of them having been addressed or even acknowledged by upstream.

From what I can tell, there is no way of providing any package that depends on freeimage in a secure way. Packages that depend on freeimage need to have their upstreams made aware of this so they can stop using it.

[tengkuizdihar]

Just want to chime in with this repo https://github.com/danoli3/FreeImage, claiming that it has fixed all of the security issues.

[L-as]

We could add a new package under a new name and deprecate the old one. I don't want people using this by accident, since it has different trust assumptions (do you trust this author? I won't make that choice for people).