Hello, Following the suggestion of Thomas Viehmann I joined the "png-mng-implement" list where the development of libpng is discussed by many including among them the author of pngcrush.
My posting there let to the following thread: http://sourceforge.net/mailarchive/forum.php?thread_id=9575058&forum_id=43850 This thread suggests that static compilation of the png*.c files is the preferred way of creating pngcrush. This was also echoed by the author of "optipng" which is being packaged for Debian as well. The points raised were: 1. These programs need to handle png files at a level that cannot be provided as non-private functions in libpng. 2. The authors are aware of the security implications of doing this and (seem to) suggest that programs like these should not be used in places where security is critical. In the light of this a number of possible solutions present themselves: a. Compile as suggested by the authors and put a warning in the program description as well as the README.Debian that accompanies the programs. Problems: Security team will still have to respond to security issues that may arise with these programs which will have to be treated independent of libpng security issues. b. Compile the programs with the png*.c files in the source replaced with the current security patched version of these files from the libpng source. This could be automated. This may reduce the work needed from the security team. Problems: While this works currently, it is not clear that it will continue to work and is not supported by upstream. c. Compile the programs with dynamic support from libpng by giving local definitions of some of the private functions and symbols (as done in my previous posting). Problems: While it works currently, this cannot be automated and so will increase the amount of work that the maintainer has to do. It is also not supported upstream. I would be glad to hear if folks have some other possible solutions or if there are clear preferences between the three options. Thanks and regards, Kapil. -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]