Over the last few weeks, I have been very busy at work, and therefore hadn't have much time for Debian. Especially, I haven't been able to help the Dunc-bank project as much as I wanted to. However, it recently became obvious that I brought my contribution to the project's impressive success (despite being not too dramatic). That was, orphaning libpng.

The one thing to know about libpng is that upstream developers like to break their software at every single release. Given the number of packages depending on it, it is not reasonable to upload new versions less than 6 months before the release; this is the reason why I carefully kept the working 1.2.8 version. However, despite being warned, the new maintainer decided to upload two new upstream versions with a high urgency to fix two security issues, instead of backporting them.

Looking at the rest of the changelog is eloquent :

• removal of the libpng3 package despite my explanations of why not to do so - a change reverted later;
• moving development examples to the shared library package - I'm sure the 91% of users having libpng12-0 installed, according to popularity-contest, will be glad to have them;
• last but not least, removal of a patch that was introduced to not export some useless symbols - of course, this was done without bumping the shlibs, just like the two new upstream releases.

The result is now, according to the unofficial RC bug list, no less than six libpng-related release-critical bugs:

• broken on amd64;
• incorrect dependency information;
• new bug introduced upstream;
• pngcrush broken.

Before anyone asks me: no, I'm not volunteering to fix these bugs. Maintaining libpng is a tedious and time-consuming task that requires more motivation than I currently have. It is way too late in the release process, and my advice for a short-term solution (suitable for a release in two months) would be to revert completely to 1.2.8 and backport the security fixes. The medium-term solution involves even more work, but I think there is no more choice: the library needs to be split in two, one private library with an unstable ABI for software like pngcrush and optipng, and one public library with a very strictly fixed ABI (probably following closely the LSB). Good luck to anyone implementing this. The long term solution is more appealing: rewrite everything from scratch. The PNG specification is much clearer than the libpng code, and calls for a clean reimplementation using modern programming techniques.

For a completely unrelated, but more entertaining moment, I recommend the reading of this Bjarne Soustrup interview, where he tries to defend C++ against all common sense. The introduction really made my day: C++ remains the archetypal "high level" computer language (that is, one that preserves the features of natural, human language). Something to meditate on.

Update : I've just seen the funniest libpng upload ever:

libpng (1.2.15~beta5-0) unstable; urgency=high