Date: Wed, 25 May 2011 19:15:25 -0400 From: "Mikhail T." <mi+thun@aldan.algebra.com> To: Andrey Chernov <ache@freebsd.org>, Dirk Meyer <dinoex@FreeBSD.ORG>, ports@FreeBSD.ORG Subject: Re: Turning APNG to on by default in graphics/png Message-ID: <4DDD8D8D.9080104@aldan.algebra.com> In-Reply-To: <20110525213708.GA47626@vniz.net> References: <4DDD4A44.60306@aldan.algebra.com> <20110525190239.GA46219@vniz.net> <4DDD5590.8090807@aldan.algebra.com> <20110525213708.GA47626@vniz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25.05.2011 17:37, Andrey Chernov wrote:
> If only FF wants hacked library, there is no point to make even
> separated port.
Certainly thunderbird too. Not sure about others, but, likely, www/libxul too --
and www/seamonkey2. Worse: we tend to have multiple versions of some of those in
the tree (for example: mail/thunderbird, mail/thunderbird3,
deskutils/lightning-thunderbird, www/firefox, www/firefox3, www/firefox35).
> Making APNG default is an additional security risk since
> another vulnerability may be founded in the APNG extension in the future
> will affect all programs at once, i.e. we'll have png risk + apng risk as
> result.
In theory, EVERY additional feature is an additional security risk :) But APNG
has not had an issue in three years.
> Moreover, APNG development is always behind official png in time,
> so fixing vulnerabilities will be not as fast as now.
APNG-patched areas aren't usually, where the stock PNG is affected by security
problems -- or else APNG would've been implicated in more advisories.
In short, it does not seem, APNG is any riskier than the PNG itself...
And now consider this -- the number one "vector" for security threats is through
malicious files e-mailed or injected into web-servers... And those are accessed
by e-mail programs and browsers. So, users of Firefox and Thunderbird (the
primary tools today -- and thus the first to be targeted by miscreants) will be
affected by any future APNG-bug /anyway/. My way, at least, the fix will require
updating only a single port on one's machine...
Yours,
-mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DDD8D8D.9080104>