From owner-freebsd-ports@FreeBSD.ORG Wed May 25 23:15:28 2011 Return-Path: Delivered-To: ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34F52106564A; Wed, 25 May 2011 23:15:28 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id C541D8FC1C; Wed, 25 May 2011 23:15:27 +0000 (UTC) Received: from mr16.lnh.mail.rcn.net ([207.172.157.36]) by smtp02.lnh.mail.rcn.net with ESMTP; 25 May 2011 19:15:27 -0400 Received: from smtp04.lnh.mail.rcn.net (smtp04.lnh.mail.rcn.net [207.172.157.104]) by mr16.lnh.mail.rcn.net (MOS 4.2.3-GA) with ESMTP id BCI94993; Wed, 25 May 2011 19:15:26 -0400 Received: from 209-6-61-133.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com (HELO utka.zajac) ([209.6.61.133]) by smtp04.lnh.mail.rcn.net with ESMTP; 25 May 2011 19:15:26 -0400 Message-ID: <4DDD8D8D.9080104@aldan.algebra.com> Date: Wed, 25 May 2011 19:15:25 -0400 From: "Mikhail T." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.17) Gecko/20110525 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: Andrey Chernov , Dirk Meyer , ports@FreeBSD.ORG References: <4DDD4A44.60306@aldan.algebra.com> <20110525190239.GA46219@vniz.net> <4DDD5590.8090807@aldan.algebra.com> <20110525213708.GA47626@vniz.net> In-Reply-To: <20110525213708.GA47626@vniz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Turning APNG to on by default in graphics/png X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2011 23:15:28 -0000 On 25.05.2011 17:37, Andrey Chernov wrote: > If only FF wants hacked library, there is no point to make even > separated port. Certainly thunderbird too. Not sure about others, but, likely, www/libxul too -- and www/seamonkey2. Worse: we tend to have multiple versions of some of those in the tree (for example: mail/thunderbird, mail/thunderbird3, deskutils/lightning-thunderbird, www/firefox, www/firefox3, www/firefox35). > Making APNG default is an additional security risk since > another vulnerability may be founded in the APNG extension in the future > will affect all programs at once, i.e. we'll have png risk + apng risk as > result. In theory, EVERY additional feature is an additional security risk :) But APNG has not had an issue in three years. > Moreover, APNG development is always behind official png in time, > so fixing vulnerabilities will be not as fast as now. APNG-patched areas aren't usually, where the stock PNG is affected by security problems -- or else APNG would've been implicated in more advisories. In short, it does not seem, APNG is any riskier than the PNG itself... And now consider this -- the number one "vector" for security threats is through malicious files e-mailed or injected into web-servers... And those are accessed by e-mail programs and browsers. So, users of Firefox and Thunderbird (the primary tools today -- and thus the first to be targeted by miscreants) will be affected by any future APNG-bug /anyway/. My way, at least, the fix will require updating only a single port on one's machine... Yours, -mi