Thomas Klausner wrote:
>>        You don't need a patch for now.  Rather, just force POV-Ray to
>>build and link with the libraries provided in the source archive, using
>>the  --disable-lib-checks  configure option.  Those libs are the versions
>>that were used along the POV-Ray development.
> 
> Well, that's not really a solution. pkgsrc makes all packages
> use one png package instead of tens of different internal copies
> so that e.g. vulnerabilities or platform fixes have to be applied
> only in one place.

Please use the libraries that are supplied with POV-Ray as they are known to 
work properly due to extensive testing. If you insist on using a newer 
version of the libraries, the proper functioning of POV-Ray is not 
guaranteed by any means, and you would be on your own if there are any 
problems. Clearly, as you have noticed, there are changes in the libraries 
you are using, so you are already having problems...

So, *please* use what you are told to use, anything else is absolutely, 
completely and without restrictions *unsupported*. POV-Ray is not qualified 
for server use, and should not be exposed to untrusted users! There are no 
exceptions to this recommendation. As such, your argument about security 
completely misses the point! Please use the libraries supplied with POV-Ray, 
as they create a reliable version of POV-Ray that will *work* properly and 
be usable without problems. If you need to worry about library-level 
security problems in POV-Ray, your security settings are already inadequate.

What you are currently trying to do is similar to putting on a bullet proof 
vest, and then start shooting yourself in the foot. Clearly, not something 
you want to do! ;-)

	Thorsten Froehlich, POV-Team

Post a reply to this message