Date: Thu, 26 May 2011 01:37:09 +0400 From: Andrey Chernov <ache@FreeBSD.ORG> To: "Mikhail T." <mi+thun@aldan.algebra.com> Cc: Dirk Meyer <dinoex@FreeBSD.ORG>, ports@FreeBSD.ORG Subject: Re: Turning APNG to on by default in graphics/png Message-ID: <20110525213708.GA47626@vniz.net> In-Reply-To: <4DDD5590.8090807@aldan.algebra.com> References: <4DDD4A44.60306@aldan.algebra.com> <20110525190239.GA46219@vniz.net> <4DDD5590.8090807@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If only FF wants hacked library, there is no point to make even separated port. Making APNG default is an additional security risk since another vulnerability may be founded in the APNG extension in the future will affect all programs at once, i.e. we'll have png risk + apng risk as result. Moreover, APNG development is always behind official png in time, so fixing vulnerabilities will be not as fast as now. On Wed, May 25, 2011 at 03:16:32PM -0400, Mikhail T. wrote: > On 25.05.2011 15:02, Andrey Chernov wrote: > >> There used to be concerns about security of animated PNG code, but today I can > >> > not find any advisories fresher than 2008: > >> > > >> > http://osvdb.org/show/osvdb/48766 > > Wrong place to find advisores related to subj. See > > http://www.libpng.org/pub/png/libpng.html > > page, right below yellow tables. Latest one fixed Feb 3 2011. > Your link has no information on ANIMATED png. The ANIMATED functionality has no > advisories since 2008... > >> > Various Mozilla applications will then be able to LIB_DEPEND on the installed > >> > png instead of building their own versions. > > FYI: apng is quick hack to overcome animated gifs limitations and libpng > > author is strongly against it, suggesting to use more flexible mng > > instead:http://www.libpng.org/pub/mng > I have this information -- this was discussed (with your and my selves present) > back in 2008. But we are not going to change the way Mozilla projects are going > about this... Our options at this point are: > > * continue building a private libpng as part of each Mozilla application -- a > silly redundancy of patches and waste of time and space; > * make a separate port (apng or mozilla-png) -- making sure, it does not > conflict with the "official" png; > * just turn the APNG option on by default in the existing png port... > > I think, the third options is the easiest -- and it has NO downsides... Yours, > > -mi > -- http://ache.vniz.net/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110525213708.GA47626>