libpng vulnerability, why does gnome2 depend on libpng2 and not libpng3?

[Christof Petig]

"Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow 
vulnerability that could lead to remote code execution. "

After I read about the libpng vulnerability ( 
http://lwn.net/Articles/5017/ ) I routinely checked for the version in 
debian sid.

ii  libpng2        1.0.12-3       PNG library - runtime
ii  libpng2-dev    1.0.12-3       PNG library - development
ii  libpng3        1.2.1-1.1      PNG library - runtime
un  libpng3-dev    <keine>        (keine Beschreibung vorhanden)
then I decided to do an apt-get install libpng3-dev and the result 
shocked me

Note, selecting libpng-dev instead of libpng3-dev
The following extra packages will be installed:
  libdirectfb-dev libpng-dev
The following packages will be REMOVED:
  clanlib-dev gdk-imlib-dev libbonobo-dev libbonoboui2-dev libcapplet-dev
  libeel2-dev libgail-dev libgal2-0-dev libgdk-pixbuf-gnome-dev
  libglade-bonobo0-dev libglade-gnome0-dev libglade2-dev 
libgnome-desktop-dev
  libgnome-dev libgnomecanvas2-dev libgnomedb2-dev libgnomemm-dev
  libgnomeprint-dev libgnomeprintui-dev libgnomeui-dev libgtk2.0-dev
  libgtkhtml2-dev libgtop2-dev libmagick++5-dev libmagick5-dev
  libnautilus2-dev libpng2-dev librsvg2-dev libwmf-dev libwnck-dev 
libzvt2-dev
The following NEW packages will be installed:
  libpng-dev
1 packages upgraded, 1 newly installed, 31 to remove and 0  not upgraded.

Is there a reason to stay with the old branch? Or is this due to the lag 
of the ppc tree?

     Christof
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]