Install instructions should not recommend vulnerable libpng libraries

[hawicz]

The install instructions (https://www.rapidwright.io/docs/Install.html#install) recommend installing old versions of the png library, namely libpng12. The problem with this is that there have been numerous vulnerabilities in libpng (https://www.cvedetails.com/vulnerability-list/vendor_id-7294/Libpng.html) and directing people to install such ancient, buggy versions seems rather irresponsible.

The instructions don't even refer to the most recent release of the 1.2 lineage (though even that is more than 7 years old at this point), and instead recommend manually installing a 1.2.54 package.

Where does the libpng dependency come in? Can it be updated to use a more modern version?

[clavin-xlnx]

Thanks for bringing up this issue. The instructions for installing libpng are optional for the GUI use of RapidWright which is uncommon. I've just updated the documentation to denote that step as optional and also added a warning box to the install instructions. Most users do not use the GUI and therefore do not need to install libpng.

The libpng dependency is from Qt Jambi, a Java-based wrapper around Qt. RapidWright GUI applications were built on a fairly old version of it and there hasn't been a drop-in replacement upgrade for some time. There was some effort in #501, but it would require users additional steps to get it working. We will follow up on this option and leave this issue open for now until we can resolve it.