ludo@gnu.org (Ludovic Courtès) writes:

> ng0 <contact.ng0@cryptolab.net> skribis:
>
>>> That said, please make sure the security issues fixed in ‘libpng/fixed’
>>> are also fixed in libpng-apng!
>
> [...]
>
>> Do you have any advice how this could be achieved?
>
> I’d check whether libpng-CVE-2016-10087.patch applies to libpng-apng
> (it’s the patch that ‘libpng/fixed’ applies.)
>
> Going forward, if the code bases are similar enough, we may have to add
> a (cpe-name . "libpng") property to libpng-apng so that ‘guix lint -c
> cve’ would report libpng’s vulnerabilities.
>
> HTH!
>
> Ludo’.

Those tips helped quite a bit! Libpng-apng now builds reproducibly. Now
the only issues are the CVE patch name not beginning with "libpng-apng"
and the sourceforge URL using "*.sourceforge.net/project" instead of
"*.sourceforge.net/projects" (this detail leads to a 404 Error while linting).