>Are we bringing in a new third party library for this? (Seems like yes?)
libwebp (see
https://bugzilla.mozilla.org/show_bug.cgi?id=1294490)
>Who else uses it/audits it? Does anyone else fuzz it? Is it in OSS-fuzz?
>Are we fuzzing it?
http://developers.google.com/speed/webp - Chrome uses it. They fuzz it
(including with private fuzzing).
It's in OSS-fuzz: see
https://groups.google.com/a/webmproject.org/forum/#!topic/webp-discuss/aqHRxQqJpH0
I don't believe we're fuzzing the patches yet, but I imagine we will.
>How does upstream behave? Do they cut releases or do they just have
>continual development and downstreams grab random versions of it? How do we
>plan to track security issues upstream? How do we plan to update it
>(mechanically and how often)?
You can see how they handle releases above. Version 1.0.0 was cut in
April (though there were a number before then).
See
https://chromium.googlesource.com/webm/libwebp
I don't know how they track sec issues; probably similar to other
google/chrome/chromium projects.
See
https://bugs.chromium.org/p/webp/issues/list
You can report issues as "Security" issues.
> bz wrote:
>> In the past, I believe we objected to adding WebP for various reasons.
>> Do we feel that those reasons are now outweighed by the compat problems?
(Personal opinion) Yes, unfortunately. And AV1F image format both isn't
ready and isn't universally supported; it will take a while.
--
Randell Jesup, Mozilla Corp
remove "news" for personal email