Bug#650601: [png-mng-implement] Lack of security in libpng 1.2

[Aníbal Monsalve Salazar <anibal@debian.org>]

On Thu, Mar 22, 2012 at 11:19:08PM +1100, Aníbal Monsalve Salazar wrote:
>On Thu, Mar 22, 2012 at 11:58:21AM +0000, Adam D. Barratt wrote:
>>On 22.03.2012 11:21, Adam D. Barratt wrote:
>>>On 22.03.2012 11:00, Aníbal Monsalve Salazar wrote:
>>>>So, the message is to move away from libpng 1.2 in Debian as
>>>>soon as we can.
>>>
>>>In that case, maybe someone could address some of the issues we
>>>raised when the transition was first proposed?  e.g. the
>>>"requirement" or changing the development page name and thus
>>>needing otherwise unneccessary source uploads of a bunch of
>>>packages
>>
>>As a concrete example, running "dak rm -b libpng12-dev" on
>>ftp-master a short while ago suggests that there are currently over
>>two hundred source packages in unstable with a build-dependency
>>either on "libpng12{,-0}-dev" with no alternative or with the 1.2
>>package as the first in an alternative list.  If the libpng 1.5
>>packages from experimental were to transition to unstable right now,
>>we'd be unable to binNMU any of those packages; they would all
>>require source uploads to change the build-dependency.  It may be
>>that some of these can be explained by multiple source versions
>>where the newer source has migrated to use libpng-dev, but I suspect
>>those are a minority.
>>
>>fwiw, there are also still six packages in unstable with libpng3-dev
>>as the only png-related build dependency.  It may be that those
>>packages have other issues, fo course.
>
>libpng3-dev is an empty package that hasn't been removed yet, but can be
>kept if you wish so. It was requiered for a previous transition. We
>could make empty packages "libpng12{,-0}-dev" depending on libpng15-15
>and libpng-dev respectively.

libpng3-dev doesn't exist in Debian.

libpng3 depends on libpng12-0 (>= 1.2.5.0-2) currently. It's empty in
the sense that it only has symbolic links to the shared library in
libpng12-0.