This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [SECURITY] libpng vulnerabilities


On 7/26/2011 4:38 PM, Yaakov (Cygwin/X) wrote:
> On Tue, 2011-07-26 at 15:48 -0400, Charles Wilson wrote:
>> General question: would it be acceptable to move libpng10 to obsolete
>> (removing libpng10-devel), and NOT update it -- rather than removing it
>> entirely?
> 
> No, because anything which others may have built against it would remain
> vulnerable (and the same goes for the old libpng2 BTW). 
> If libpng10
> stays, it needs to be updated,

Nope, disagree.  If something is obsolete, then the maintainer IMO has
no further obligation to keep it updated.  Removing a DLL immediately
breaks -- as in, nonfunctional -- all apps that rely on it, and that's
just evil.  (I know, WJM and all, but there's mean, and then there's evil).

It should be the user's choice whether to continue using an old DLL that
may have a security flaw, rather than us saying: too bad. I'm going to
make it so you can't run that app anymore, because I know better than
you. Very Microsoftian.

My question is, whether it is just too cheesy to move a currently
NON-obsolete, but very old and apparently unused, DLL /into/ obsolete
status, MERELY to avoid the need to update it.

> but removing libpng10-devel is a good
> idea in any case.

Well, on that we agree.

--
Chuck


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]