Bug#709145: [CVE-2009-3546]: contains embedded (and outdated) copy of libgd2
As I said, the texlive build system needs the configuration step even if the library is not used or build.
I don't need to say more, reading the build log and searching for "gd" is enough.
> texlive-bin MUST NOT migrate to testing with embedded outdated libgd.
Who decides that, you?
>> The only program in TeX Live that is linked against libgd is
>> dvipng and this is built outside of TeX live.
>
> Care to elaborate? Either you need the sources or you do not.
Care to search for the "dvipng" package?
I am not holding your and type for you, I have other things to do.
> If it builds the library you should fix the CVEs or at least check
> that the affected code in not used by dvipng.
I told you that already! And dvipng is not my package.
> That's not true, I have already uploaded fixed libgd2 to unstable.
Good to know, still I actually don't see a need for pulling in a useless build dep if it is not necessary.
> My
> opinion
Yes there are many opinions in the world.
Norbert
Reply to: