Re: PNG crush NMU
Following the suggestion of Thomas Viehmann I joined the
"png-mng-implement" list where the development of libpng
is discussed by many including among them the author of pngcrush.
My posting there let to the following thread:
This thread suggests that static compilation of the png*.c files is
the preferred way of creating pngcrush. This was also echoed by the
author of "optipng" which is being packaged for Debian as well.
The points raised were:
1. These programs need to handle png files at a level
that cannot be provided as non-private functions
2. The authors are aware of the security implications of
doing this and (seem to) suggest that programs like these
should not be used in places where security is critical.
In the light of this a number of possible solutions present
a. Compile as suggested by the authors and put a warning in
the program description as well as the README.Debian that
accompanies the programs.
Problems: Security team will still have to respond to
security issues that may arise with these programs which
will have to be treated independent of libpng security
b. Compile the programs with the png*.c files in the source
replaced with the current security patched version of
these files from the libpng source. This could be automated.
This may reduce the work needed from the security team.
Problems: While this works currently, it is not clear that
it will continue to work and is not supported by upstream.
c. Compile the programs with dynamic support from libpng by
giving local definitions of some of the private functions
and symbols (as done in my previous posting).
Problems: While it works currently, this cannot be automated
and so will increase the amount of work that the maintainer
has to do. It is also not supported upstream.
I would be glad to hear if folks have some other possible solutions
or if there are clear preferences between the three options.
Thanks and regards,