>Are we bringing in a new third party library for this? (Seems like yes?)
libwebp (see https://bugzilla.mozilla.org/show_bug.cgi?id=1294490) >Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz? >Are we fuzzing it? http://developers.google.com/speed/webp - Chrome uses it. They fuzz it (including with private fuzzing). It's in OSS-fuzz: see https://groups.google.com/a/webmproject.org/forum/#!topic/webp-discuss/aqHRxQqJpH0 I don't believe we're fuzzing the patches yet, but I imagine we will. >How does upstream behave? Do they cut releases or do they just have >continual development and downstreams grab random versions of it? How do we >plan to track security issues upstream? How do we plan to update it >(mechanically and how often)? You can see how they handle releases above. Version 1.0.0 was cut in April (though there were a number before then). See https://chromium.googlesource.com/webm/libwebp I don't know how they track sec issues; probably similar to other google/chrome/chromium projects. See https://bugs.chromium.org/p/webp/issues/list You can report issues as "Security" issues. > bz wrote: >> In the past, I believe we objected to adding WebP for various reasons. >> Do we feel that those reasons are now outweighed by the compat problems? (Personal opinion) Yes, unfortunately. And AV1F image format both isn't ready and isn't universally supported; it will take a while. -- Randell Jesup, Mozilla Corp remove "news" for personal email _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
