On 25.05.2011 17:37, Andrey Chernov wrote:
If only FF wants hacked library, there is no point to make even
separated port.
Certainly thunderbird too. Not sure about others, but, likely, www/libxul too --
and www/seamonkey2. Worse: we tend to have multiple versions of some of those in
the tree (for example: mail/thunderbird, mail/thunderbird3,
deskutils/lightning-thunderbird, www/firefox, www/firefox3, www/firefox35).
Making APNG default is an additional security risk since
another vulnerability may be founded in the APNG extension in the future
will affect all programs at once, i.e. we'll have png risk + apng risk as
result.
In theory, EVERY additional feature is an additional security risk :) But APNG
has not had an issue in three years.
Moreover, APNG development is always behind official png in time,
so fixing vulnerabilities will be not as fast as now.
APNG-patched areas aren't usually, where the stock PNG is affected by security
problems -- or else APNG would've been implicated in more advisories.
In short, it does not seem, APNG is any riskier than the PNG itself...
And now consider this -- the number one "vector" for security threats is through
malicious files e-mailed or injected into web-servers... And those are accessed
by e-mail programs and browsers. So, users of Firefox and Thunderbird (the
primary tools today -- and thus the first to be targeted by miscreants) will be
affected by any future APNG-bug /anyway/. My way, at least, the fix will require
updating only a single port on one's machine...
Yours,
-mi
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
