Turning APNG to on by default in graphics/png
Mikhail T.
mi+thun at aldan.algebra.com
Wed May 25 23:15:28 UTC 2011
On 25.05.2011 17:37, Andrey Chernov wrote:
> If only FF wants hacked library, there is no point to make even
> separated port.
Certainly thunderbird too. Not sure about others, but, likely, www/libxul too --
and www/seamonkey2. Worse: we tend to have multiple versions of some of those in
the tree (for example: mail/thunderbird, mail/thunderbird3,
deskutils/lightning-thunderbird, www/firefox, www/firefox3, www/firefox35).
> Making APNG default is an additional security risk since
> another vulnerability may be founded in the APNG extension in the future
> will affect all programs at once, i.e. we'll have png risk + apng risk as
> result.
In theory, EVERY additional feature is an additional security risk :) But APNG
has not had an issue in three years.
> Moreover, APNG development is always behind official png in time,
> so fixing vulnerabilities will be not as fast as now.
APNG-patched areas aren't usually, where the stock PNG is affected by security
problems -- or else APNG would've been implicated in more advisories.
In short, it does not seem, APNG is any riskier than the PNG itself...
And now consider this -- the number one "vector" for security threats is through
malicious files e-mailed or injected into web-servers... And those are accessed
by e-mail programs and browsers. So, users of Firefox and Thunderbird (the
primary tools today -- and thus the first to be targeted by miscreants) will be
affected by any future APNG-bug /anyway/. My way, at least, the fix will require
updating only a single port on one's machine...
Yours,
-mi
More information about the freebsd-ports
mailing list