Re: PNG crush NMU

To: Thomas Viehmann <tv@beamnet.de>
Cc: debian-qa@lists.debian.org, 331068@bugs.debian.org
Subject: Re: PNG crush NMU
From: Kapil Hari Paranjape <kapil@imsc.res.in>
Date: Tue, 7 Feb 2006 07:02:31 -0800
Message-id: <[🔎] 20060207150231.GA15059@imsc.res.in>
In-reply-to: <43D9FA9C.60702@beamnet.de>
References: <20060127033014.GB29959@imsc.res.in> <20060127084201.GA31263@matilda.phys.uu.nl> <20060127033014.GB29959@imsc.res.in> <877j8m1g5e.fsf@windlord.stanford.edu> <20060127040934.GD29959@imsc.res.in> <20060127033014.GB29959@imsc.res.in> <877j8m1g5e.fsf@windlord.stanford.edu> <20060127094350.GG29959@imsc.res.in> <43D9FA9C.60702@beamnet.de>

Hello,

Following the suggestion of Thomas Viehmann I joined the
"png-mng-implement" list where the development of libpng
is discussed by many including among them the author of pngcrush.

My posting there let to the following thread:

http://sourceforge.net/mailarchive/forum.php?thread_id=9575058&forum_id=43850

This thread suggests that static compilation of the png*.c files is
the preferred way of creating pngcrush. This was also echoed by the
author of "optipng" which is being packaged for Debian as well.

The points raised were:

1. These programs need to handle png files at a level
   that cannot be provided as non-private functions
   in libpng.

2. The authors are aware of the security implications of
   doing this and (seem to) suggest that programs like these
   should not be used in places where security is critical.

In the light of this a number of possible solutions present
themselves:

a. Compile as suggested by the authors and put a warning in
   the program description as well as the README.Debian that
   accompanies the programs. 

   Problems: Security team will still have to respond to 
   security issues that may arise with these programs which
   will have to be treated independent of libpng security
   issues.

b. Compile the programs with the png*.c files in the source
   replaced with the current security patched version of 
   these files from the libpng source. This could be automated.
   This may reduce the work needed from the security team.

   Problems: While this works currently, it is not clear that
   it will continue to work and is not supported by upstream.

c. Compile the programs with dynamic support from libpng by
   giving local definitions of some of the private functions
   and symbols (as done in my previous posting).

   Problems: While it works currently, this cannot be automated
   and so will increase the amount of work that the maintainer
   has to do. It is also not supported upstream.

I would be glad to hear if folks have some other possible solutions
or if there are clear preferences between the three options.

Thanks and regards,

Kapil.
--

Reply to:

Prev by Date: Bug#350792: qa.debian.org: mia-history script doesn't work
Next by Date: Bug#348971: qa.debian.org: please consider converting PTS to a CSS layout
Previous by thread: Processed: Re: qa.debian.org: mia-history script doesn't work
Next by thread: Bug#352200: PTS: please allow displaying bin NMUs
Index(es):
- Date
- Thread