You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@corinthia.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2014/12/22 17:56:57 UTC

MiniZip Dependency Consideration

There has been previous discussion on replacing the external dependency on MiniZip.

One thing to be careful about is the fact that these "simple" implementations, and simpler replacements, can be too simple.  We'll need to be vigilant about exposures to crafted exploits and also to how detected errors are handled in a resilient fashion.

This is a timely reminder: <http://www.ocert.org/advisories/ocert-2014-011.html>.

I think, in the long run, it should be possible to slide in an implementation of DCF, the ISO Document Container Profile of the PKWARE Zip specification.  This is oriented specifically to the use of Zip as a document container in cross-platform interchange (rather than a way of moving archives of file sets from one computer to another).  This should accomodate for OPC (in OOXML and elsewhere), ODF, and ePUB without difficulty.  

I'm not clear, at this point, when DCF will appear and how available it will be.

 - Dennis