From owner-freebsd-ports@FreeBSD.ORG Wed May 25 21:37:17 2011 Return-Path: Delivered-To: ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B79A1106564A; Wed, 25 May 2011 21:37:17 +0000 (UTC) (envelope-from ache@vniz.net) Received: from vniz.net (vniz.net [194.87.13.69]) by mx1.freebsd.org (Postfix) with ESMTP id 202398FC19; Wed, 25 May 2011 21:37:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by vniz.net (8.14.4/8.14.4) with ESMTP id p4PLbA6v047757; Thu, 26 May 2011 01:37:10 +0400 (MSD) (envelope-from ache@vniz.net) Received: (from ache@localhost) by localhost (8.14.4/8.14.4/Submit) id p4PLb93w047754; Thu, 26 May 2011 01:37:10 +0400 (MSD) (envelope-from ache) Date: Thu, 26 May 2011 01:37:09 +0400 From: Andrey Chernov To: "Mikhail T." Message-ID: <20110525213708.GA47626@vniz.net> Mail-Followup-To: Andrey Chernov , "Mikhail T." , Dirk Meyer , ports@FreeBSD.ORG References: <4DDD4A44.60306@aldan.algebra.com> <20110525190239.GA46219@vniz.net> <4DDD5590.8090807@aldan.algebra.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4DDD5590.8090807@aldan.algebra.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Dirk Meyer , ports@FreeBSD.ORG Subject: Re: Turning APNG to on by default in graphics/png X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2011 21:37:17 -0000 If only FF wants hacked library, there is no point to make even separated port. Making APNG default is an additional security risk since another vulnerability may be founded in the APNG extension in the future will affect all programs at once, i.e. we'll have png risk + apng risk as result. Moreover, APNG development is always behind official png in time, so fixing vulnerabilities will be not as fast as now. On Wed, May 25, 2011 at 03:16:32PM -0400, Mikhail T. wrote: > On 25.05.2011 15:02, Andrey Chernov wrote: > >> There used to be concerns about security of animated PNG code, but today I can > >> > not find any advisories fresher than 2008: > >> > > >> > http://osvdb.org/show/osvdb/48766 > > Wrong place to find advisores related to subj. See > > http://www.libpng.org/pub/png/libpng.html > > page, right below yellow tables. Latest one fixed Feb 3 2011. > Your link has no information on ANIMATED png. The ANIMATED functionality has no > advisories since 2008... > >> > Various Mozilla applications will then be able to LIB_DEPEND on the installed > >> > png instead of building their own versions. > > FYI: apng is quick hack to overcome animated gifs limitations and libpng > > author is strongly against it, suggesting to use more flexible mng > > instead:http://www.libpng.org/pub/mng > I have this information -- this was discussed (with your and my selves present) > back in 2008. But we are not going to change the way Mozilla projects are going > about this... Our options at this point are: > > * continue building a private libpng as part of each Mozilla application -- a > silly redundancy of patches and waste of time and space; > * make a separate port (apng or mozilla-png) -- making sure, it does not > conflict with the "official" png; > * just turn the APNG option on by default in the existing png port... > > I think, the third options is the easiest -- and it has NO downsides... Yours, > > -mi > -- http://ache.vniz.net/