What do you do with security problems in programs that aren't
freely licensed, and the maintainer has stopped responding when notified of security problems and so forth? One example of this is the
image viewing and editing application. The application is getting a bit long in the tooth, to say the least. The last release is more than ten years old, but it is still shipped by Novell/SUSE (at least in 9.2), Gentoo
and others. Even grumpy editors
continue to find XV an attractive choice, albeit less than acceptable due to its licensing.
Several vulnerabilities have been reported in XV since its development came to a halt, including a buffer overflow last August that was not completely addressed by vendor patches. The lack of security updates from the original author, John Bradley, is something of a problem. There have been patches and updates from other sources since the last official release, but the XV page itself seems to have been last updated in March of 2001.
Greg Roelofs has released a patch that is supposed to take care of the problem in his jumbo patches to add features to XV. (Note that the vulnerability that affects XV has also been reported by Bruno Rohee to affect Gwenview and ImageMagick.)
However, this doesn't address the problem of getting the patches into the upstream version. We attempted to contact Bradley, but received no response to our e-mail. Presumably, Bradley is not particularly interested in maintaining XV at this point, but has not seen fit to release the code to anyone else for maintainership, either.
Though the code is available for XV, the license precludes another person or group from picking up maintainership of the project. XV has a "shareware" license that is relatively liberal, allowing personal use without registration, and distribution is permitted for non-commercial purposes. In short, the license allows for distribution of patches and so forth, but it does not allow for a third party to assume control of the project and give it the care and feeding it obviously needs.
Given the amount of effort that has gone into patches for XV, it would seem more logical for interested parties to turn their attention to image viewers and editors that are not encumbered by proprietary licenses. XV provides yet another cautionary tale for users considering software that is "free enough" without actually having an open source license that allows the project to be carried by users interested in its further development.
to post comments)