ImageMagick
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://imagemagick.org/ | Medium | Very Low |
External contacts
The ImageMagick team is reachable via their public GitHub issue tracker. Security reports are taken via GHSA.
Security posture
ImageMagick is used underneath MiniMagick (via CarrierWave) to process images. Image processing is fraught with security vulnerabilities; however, these endpoints are only accessible to administrators. This significantly lowers the risk for the Key Treasures deployment. However, for customer deployments, any method of container escape could risk compromise of other customers. For this reason, we consider ImageMagick to be of medium security concern for the Mall on Rails system.
Abandonment risk
ImageMagick is a well established, long standing open source package with a small LLC organised around it. It is unlikely to be abandoned.
When feasible, it would be highly recommended to financially support ImageMagick.
Versioning policy
We use the ImageMagick package from Adélie Linux. Security updates will be handled by the distro. We will evaluate releases as they are provided in the distro repository.