Bug#650601: [png-mng-implement] Lack of security in libpng 1.2

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 650601@bugs.debian.org, Tobias Hansen <tobias.han@gmx.de>, Julien Cristau <jcristau@debian.org>, Michael Biebl <biebl@debian.org>, Cyril Brulebois <kibi@debian.org>, Nobuhiro Iwamatsu <iwamatsu@debian.org>, Moritz Muehlenhoff <jmm@debian.org>
Subject: Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
From: Aníbal Monsalve Salazar <anibal@debian.org>
Date: Thu, 22 Mar 2012 23:19:08 +1100
Message-id: <20120322121908.GA7070@debian.org>
Reply-to: Aníbal Monsalve Salazar <anibal@debian.org>, 650601@bugs.debian.org
In-reply-to: <f25c8e735e601e1562ac49d91312c3b1@mail.adsl.funky-badger.org>
References: <00b101cceed1$aa060ac0$fe122040$@acm.org> <20120322110012.GA6951@debian.org> <d92d417ebb1b6a5266c445abd0ece39c@mail.adsl.funky-badger.org> <f25c8e735e601e1562ac49d91312c3b1@mail.adsl.funky-badger.org>

On Thu, Mar 22, 2012 at 11:58:21AM +0000, Adam D. Barratt wrote:
>On 22.03.2012 11:21, Adam D. Barratt wrote:
>>On 22.03.2012 11:00, AnÃbal Monsalve Salazar wrote:
>>>So, the message is to move away from libpng 1.2 in Debian as
>>>soon as we can.
>>
>>In that case, maybe someone could address some of the issues we
>>raised when the transition was first proposed?  e.g. the
>>"requirement" or changing the development page name and thus
>>needing otherwise unneccessary source uploads of a bunch of
>>packages
>
>As a concrete example, running "dak rm -b libpng12-dev" on
>ftp-master a short while ago suggests that there are currently over
>two hundred source packages in unstable with a build-dependency
>either on "libpng12{,-0}-dev" with no alternative or with the 1.2
>package as the first in an alternative list.  If the libpng 1.5
>packages from experimental were to transition to unstable right now,
>we'd be unable to binNMU any of those packages; they would all
>require source uploads to change the build-dependency.  It may be
>that some of these can be explained by multiple source versions
>where the newer source has migrated to use libpng-dev, but I suspect
>those are a minority.
>
>fwiw, there are also still six packages in unstable with libpng3-dev
>as the only png-related build dependency.  It may be that those
>packages have other issues, fo course.

libpng3-dev is an empty package that hasn't been removed yet, but can be
kept if you wish so. It was requiered for a previous transition. We
could make empty packages "libpng12{,-0}-dev" depending on libpng15-15
and libpng-dev respectively.

Reply to:

Follow-Ups:
- Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
  - From: Julien Cristau <julien@cristau.org>
- Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
  - From: Aníbal Monsalve Salazar <anibal@debian.org>

References:
- Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
  - From: Aníbal Monsalve Salazar <anibal@debian.org>
- Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
Next by Date: Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
Previous by thread: Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
Next by thread: Bug#650601: [png-mng-implement] Lack of security in libpng 1.2
Index(es):
- Date
- Thread