On 7/26/2011 4:38 PM, Yaakov (Cygwin/X) wrote: > On Tue, 2011-07-26 at 15:48 -0400, Charles Wilson wrote: >> General question: would it be acceptable to move libpng10 to obsolete >> (removing libpng10-devel), and NOT update it -- rather than removing it >> entirely? > > No, because anything which others may have built against it would remain > vulnerable (and the same goes for the old libpng2 BTW). > If libpng10 > stays, it needs to be updated,
Nope, disagree. If something is obsolete, then the maintainer IMO has no further obligation to keep it updated. Removing a DLL immediately breaks -- as in, nonfunctional -- all apps that rely on it, and that's just evil. (I know, WJM and all, but there's mean, and then there's evil). It should be the user's choice whether to continue using an old DLL that may have a security flaw, rather than us saying: too bad. I'm going to make it so you can't run that app anymore, because I know better than you. Very Microsoftian. My question is, whether it is just too cheesy to move a currently NON-obsolete, but very old and apparently unused, DLL /into/ obsolete status, MERELY to avoid the need to update it. > but removing libpng10-devel is a good > idea in any case. Well, on that we agree. -- Chuck
