Turning APNG to on by default in graphics/png

Andrey Chernov ache at FreeBSD.ORG
Wed May 25 21:37:17 UTC 2011

If only FF wants hacked library, there is no point to make even 
separated port. Making APNG default is an additional security risk since 
another vulnerability may be founded in the APNG extension in the future 
will affect all programs at once, i.e. we'll have png risk + apng risk as 
result. Moreover, APNG development is always behind official png in time, 
so fixing vulnerabilities will be not as fast as now.

On Wed, May 25, 2011 at 03:16:32PM -0400, Mikhail T. wrote:
> On 25.05.2011 15:02, Andrey Chernov wrote:
> >> There used to be concerns about security of animated PNG code, but today I can
> >> >  not find any advisories fresher than 2008:
> >> >  
> >> >       http://osvdb.org/show/osvdb/48766
> > Wrong place to find advisores related to subj. See
> > http://www.libpng.org/pub/png/libpng.html
> > page, right below yellow tables. Latest one fixed Feb 3 2011.
> Your link has no information on ANIMATED png. The ANIMATED functionality has no 
> advisories since 2008...
> >> >  Various Mozilla applications will then be able to LIB_DEPEND on the installed
> >> >  png instead of building their own versions.
> > FYI: apng is quick hack to overcome animated gifs limitations and libpng
> > author is strongly against it, suggesting to use more flexible mng
> > instead:http://www.libpng.org/pub/mng
> I have this information -- this was discussed (with your and my selves present) 
> back in 2008. But we are not going to change the way Mozilla projects are going 
> about this... Our options at this point are:
>   * continue building a private libpng as part of each Mozilla application -- a 
> silly redundancy of patches and waste of time and space;
>   * make a separate port (apng or mozilla-png) -- making sure, it does not 
> conflict with the "official" png;
>   * just turn the APNG option on by default in the existing png port...
> I think, the third options is the easiest -- and it has NO downsides... Yours,
>     -mi


More information about the freebsd-ports mailing list