On Sat, Oct 8, 2011 at 9:41 PM, Markos Chandras <hwoar...@gentoo.org> wrote: > 1) use bundled zlib and libpng14. Doh this is not a fix. It is barely > a workaround. What if a vulnerability is discovered in the bundled > version of libpng in the next months? Will upstream fix it? Highly > unlikely since they don't seem able to keep up with libpng releases.
I'm no sure why a bundled library needs to be cause for masking. If there is a vulnerability, of course we should mask away if we can't fix it within the GLSA guidelines. I think that the general principle of not bundling libraries is a good one. However, that shouldn't be the sole reason for excluding a package from the tree, and right now I can't see any other reason to exclude this package since bundling the library fixes the block. I haven't seen any evidence presented that upstream is lax with security - not using the latest version of a library simply is a case of "if it ain't broke, don't fix it." Rich