From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-48027-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RCieq-0007Zu-3a
	for garchives@archives.gentoo.org; Sun, 09 Oct 2011 01:58:28 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9A39421C184;
	Sun,  9 Oct 2011 01:58:19 +0000 (UTC)
Received: from mail-bw0-f53.google.com (mail-bw0-f53.google.com [209.85.214.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id A4D1121C04B
	for <gentoo-dev@lists.gentoo.org>; Sun,  9 Oct 2011 01:57:52 +0000 (UTC)
Received: by bkbzt12 with SMTP id zt12so8672497bkb.40
        for <gentoo-dev@lists.gentoo.org>; Sat, 08 Oct 2011 18:57:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        bh=+XVHrNuvSOo2jwWyqyJSONtxKD8AiqjR3SYnSxHxA+c=;
        b=H1YArXTQ/WunWtTzJXhk8VOxI/8+McMsDi/gqgK5VkYWEnTdChz8lZMtWfdUYghCuD
         5M8VuhxkCunA/XiE6cjCaZA+kXgs+MJntk6fKuOO7hEtFr3ynx4HszNeklGZFGcth0Lz
         o5Y6aar/Wxxam94+QtV+Z7/xLPJVvqoAeyKMg=
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.204.128.80 with SMTP id j16mr2329479bks.28.1318125471683; Sat,
 08 Oct 2011 18:57:51 -0700 (PDT)
Sender: freemanrich@gmail.com
Received: by 10.204.72.195 with HTTP; Sat, 8 Oct 2011 18:57:51 -0700 (PDT)
In-Reply-To: <4E90FBBB.1070309@gentoo.org>
References: <4E900E3E.2070202@gentoo.org>
	<CAEdQ38HPgr87pe_eRqeScT050vfmUcwbpKT2-OoD1TcUWwP34w@mail.gmail.com>
	<4E905C48.20008@gentoo.org>
	<CAEdQ38FagU4VVPh5EZAXo7VCPscZpx2-bBKiKPooDMkT78u8Qg@mail.gmail.com>
	<4E90FBBB.1070309@gentoo.org>
Date: Sat, 8 Oct 2011 21:57:51 -0400
X-Google-Sender-Auth: SbndmjxuB593xTeGLaipNgPCKOI
Message-ID: <CAGfcS_=drDiNHDfXmpc6r59gphLy4=yap5JSxK_KFhw6NE-nHw@mail.gmail.com>
Subject: Re: [gentoo-dev] Lastrite: media-gfx/pngcrush
From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
X-Archives-Salt: 
X-Archives-Hash: b2cbb1fb3599e89b48cda95f370fd5aa

On Sat, Oct 8, 2011 at 9:41 PM, Markos Chandras <hwoarang@gentoo.org> wrote:
> 1) use bundled zlib and libpng14. Doh this is not a fix. It is barely
> a workaround. What if a vulnerability is discovered in the bundled
> version of libpng in the next months? Will upstream fix it? Highly
> unlikely since they don't seem able to keep up with libpng releases.

I'm no sure why a bundled library needs to be cause for masking.  If
there is a vulnerability, of course we should mask away if we can't
fix it within the GLSA guidelines.

I think that the general principle of not bundling libraries is a good
one.  However, that shouldn't be the sole reason for excluding a
package from the tree, and right now I can't see any other reason to
exclude this package since bundling the library fixes the block.  I
haven't seen any evidence presented that upstream is lax with security
- not using the latest version of a library simply is a case of "if it
ain't broke, don't fix it."

Rich