Status: closes roadmap X-03
Date: 2026-05-05
Scope: any optional runtime, model, decoder, extractor, plugin host, CLI tool, or native library used by Images.
Images can study external projects and reuse permissively licensed libraries, but it must not copy code from incompatible projects or quietly bundle risky runtimes. Every optional integration needs a written review before code or binaries are added.
This policy applies to:
- Ghostscript bundles.
- Archive tooling such as 7-Zip, UnRAR, libarchive, or SharpCompress.
- OpenSlide, Bio-Formats, OpenImageIO, libvips, OCIO, and other pro/scientific backends.
- OCR engines beyond Windows.Media.Ocr.
- AI models and ONNX runtimes.
- ExifTool, C2PA tooling, and metadata writers.
- Plugin hosts and scripting runtimes.
| Field | Required answer |
|---|---|
| Name and version | Exact package, binary, model, or tool version. |
| Source URL | Canonical upstream URL and release URL. |
| License | SPDX identifier where possible, plus model/data license if separate from code. |
| Redistribution permission | Whether the exact artifact may be bundled in Images releases. |
| Source-use boundary | Whether code can be linked, referenced, shell-called, or only used as design inspiration. |
| Update cadence | How releases are monitored and who owns upgrades. |
| CVE/advisory tracking | Advisory feeds, GitHub advisories, upstream security page, or vendor notices. |
| Binary provenance | Download source, checksum, signing status, build reproducibility if known. |
| Process boundary | In-process, child process, sandboxed child process, or unsupported. |
| File access boundary | Which user files, temp files, cache folders, or network resources the runtime can access. |
| Network behavior | Whether the runtime can contact the network and how Images prevents silent egress. |
| Failure mode | User-facing error copy and diagnostics when the runtime is missing or fails. |
| Test corpus | Generated or checked-in fixtures required to validate the integration. |
| Release impact | Added size, startup cost, install complexity, and package-manager consequences. |
- Prefer in-box Windows APIs when they meet the user need.
- Prefer permissive NuGet libraries over native binaries.
- Prefer child-process boundaries for GPL/AGPL, fragile, high-CVE, or untrusted-file parsers.
- Prefer generated test fixtures over checked-in binary corpora unless a format requires exact bytes.
- Prefer app-local storage under
%LOCALAPPDATA%\Imagesfor disposable caches and extracted temp files. - Reject integrations that require silent network access.
- Reject original-file writes until the workflow has confirmation, rollback, and regression coverage.
| Risk level | Examples | Required boundary |
|---|---|---|
| Low | Small permissive managed library, no native parser, no network. | In-process allowed after review. |
| Medium | Native codec, metadata parser, archive reader, large model runtime. | In-process only with CVE tracking and corpus tests; otherwise child process. |
| High | GPL/AGPL tool, JVM sidecar, untrusted document parser, experimental decoder. | Child process or sandboxed process; no in-process loading. |
| Rejected | Unknown license, unverifiable binary, silent network, no redistribution rights. | Do not integrate. |
Copy this block into a new design or decision document before adding the integration:
## Integration Review: <name>
- Version:
- Source:
- Release artifact:
- License:
- Redistribution permission:
- Source-use boundary:
- Update cadence:
- CVE/advisory tracking:
- Binary provenance:
- Process boundary:
- File access boundary:
- Network behavior:
- Failure mode:
- Test corpus:
- Release impact:
- Decision:
- Owner:| Integration | Review status | Notes |
|---|---|---|
| Magick.NET 14.14.0 | Accepted | Existing NuGet dependency; release workflow vulnerable-package gate covers managed package advisories. |
| Ghostscript 10.07.0 | Conditionally accepted | Optional app-local/system runtime; bundling requires exact approved artifact and SHA-256 continuity. See docs/codec-bundling.md. |
| SharpCompress 0.49.1 | Accepted | Managed MIT NuGet dependency for read-only RAR/CBR and 7z/CB7 archive books. Upgraded from 0.47.4 after GHSA-6c8g-7p36-r338 / CVE-2026-44788 flagged the extraction helper API that Images does not call. See docs/archive-runtime-review.md. |
| Microsoft.Data.Sqlite 10.0.9 + SQLitePCLRaw.bundle_e_sqlite3 3.0.3 | Accepted | App-local catalog, settings, and semantic index storage use managed ADO.NET over the bundled SQLitePCLRaw e_sqlite3 runtime; release readiness keeps package and vulnerability gates local. |
| Windows.Media.Ocr | Accepted | In-box Windows API; no bundled runtime. |
| 7-Zip/UnRAR native archive readers | Not reviewed | Native sidecars remain unapproved; ZIP/CBZ use .NET built-in APIs and RAR/7z use the reviewed managed SharpCompress path. |
| jpegtran.exe | Accepted for release staging through reviewed libjpeg-turbo 3.1.4.1 artifact | Lossless JPEG crop/rotation planning, runtime diagnostics, exact MCU-aligned writeback, right-angle rotation writeback, confirmed-trim UI, exact artifact URL, license files, jpegtran.exe plus jpeg62.dll SHA-256 provenance, staging script, and release diagnostics smoke are documented in docs/lossless-jpeg-transform-policy.md and src/Images/Codecs/JpegTran/PROVENANCE.md. Runtime binaries remain ignored by git and are staged only for build/publish output. |
| LaMa inpainting ONNX | Decision scoped, not bundled | Content-aware repair will use opt-in local LaMa ONNX through ONNX Runtime DirectML (current) with Windows ML as the planned forward path when V60-01 ships. See docs/inpaint-runtime-decision.md. |
| ExifTool | Not reviewed | Required before sidecar or metadata write workflows. |
| ONNX models | Not reviewed | Required before semantic search, AI tagging, background removal, upscaling, or face recognition. |
| OpenSlide/Bio-Formats | Not reviewed | Required before lab/scientific image packs. |
| Plugin host | Not reviewed | Requires a separate trust model and disabled-by-default policy. |
A release that includes a new optional runtime must include:
- The completed integration review.
- A changelog entry naming the runtime and version.
- A diagnostics surface showing runtime availability and provenance.
- At least one automated test or smoke command that exercises the runtime when present.
- A fallback path when the runtime is absent.
- Updated user documentation explaining install, privacy, and recovery behavior.