Can you please provide answers and evidences for the below API questions:
a) can the APIs be invoked via TLS only?
b) do APIs implement authentication & authorization via standard protocols (e.g. OAuth) and via standard components registered in CTC as ‘recommended’?
c) do APIs provide error messages in a standard, machine processable format?
d) are HTTP verbs not required by the API disallowed?
e) are API users integrated into the authentication framework of the solution just like regular users?
f) if the solution has a user database of its own, is the user management functionality available via APIs?
Maybe if you tell us why you are asking these question we could make a more sensible answer. Right now it looks like you are asking a vegan restaurant how they store their meat.
My guess is that you are mixing several concepts of “API”. The “API” you linked (in the developer website) is a common application library. You compile plug-ins against this library and it calls the main application. That’s all. It’s all happening offline on your system, there are no remote calls, no TLS, no HTTP, no user authentication, nothing of the stuff you asked about…
Whereas when we look at your initial questions, I am guessing the question your internal review is trying to get an answer for is: does this software access some service online? And the answer to this is: no. GIMP is a desktop software. It doesn’t need internet and doesn’t need to run any HTTP/HTTPS query for normal usage.
The only HTTP query which GIMP might run are a read-only check (max once a week, no authentication, no data gathered) for new versions, which can be disabled in Preferences. Or again if you use the online user manual, then of course it needs to load the page (but I would hardly call this “API” call in the meaning normally used by web applications). See our Privacy Policy which gives our stance on gathering data and the like (as I guess it might be the real issue behind internal reviews).
Similarly your questions mention “API users”, “authentication framework” or “user database”; there is no such thing here. GIMP is a very old-school desktop application. No internet is needed for it to work properly and none of its features require any HTTP(S) calls.
Hi,
We foun that GIMP contains a buffer overflow vulnerability. An attacker could exploit this issue by passing a crafted file to the application, which would result in an application crash. Is there any solution for this?
The solution is to fix the bug. Or what other solution are you looking for? On Linux you have various options for running GIMP in a sandbox environment, like use the Flathub package, so it is better isolated from the OS. I don’t know for other OSes.
Okay Thanks for making it clear!
Is there any idea of when the next version of GIMP is going to be release or when can we expect the newer version release