Turning APNG to on by default in graphics/png

Mikhail T. mi+thun at aldan.algebra.com
Wed May 25 23:15:28 UTC 2011

On 25.05.2011 17:37, Andrey Chernov wrote:
> If only FF wants hacked library, there is no point to make even
> separated port.
Certainly thunderbird too. Not sure about others, but, likely, www/libxul too -- 
and www/seamonkey2. Worse: we tend to have multiple versions of some of those in 
the tree (for example: mail/thunderbird, mail/thunderbird3, 
deskutils/lightning-thunderbird, www/firefox, www/firefox3, www/firefox35).
> Making APNG default is an additional security risk since
> another vulnerability may be founded in the APNG extension in the future
> will affect all programs at once, i.e. we'll have png risk + apng risk as
> result.
In theory, EVERY additional feature is an additional security risk :) But APNG 
has not had an issue in three years.
> Moreover, APNG development is always behind official png in time,
> so fixing vulnerabilities will be not as fast as now.
APNG-patched areas aren't usually, where the stock PNG is affected by security 
problems -- or else APNG would've been implicated in more advisories.

In short, it does not seem, APNG is any riskier than the PNG itself...

And now consider this -- the number one "vector" for security threats is through 
malicious files e-mailed or injected into web-servers... And those are accessed 
by e-mail programs and browsers. So, users of Firefox and Thunderbird (the 
primary tools today -- and thus the first to be targeted by miscreants) will be 
affected by any future APNG-bug /anyway/. My way, at least, the fix will require 
updating only a single port on one's machine...



More information about the freebsd-ports mailing list