[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dropping GStreamer 0.8 for etch

Le jeudi 07 décembre 2006 à 11:30 +0100, Loïc Minier a écrit :
>  It's nice that you're concerned by this state of fact, but this is
>  nothing new, and was already discussed multiple times.  I actually
>  already discussed this since months with 1) Debian users 2) upstream 3)
>  the ffmpeg maintainer 4) the security team.
>    If you truly want to unlock this situation, subscribe to the upstream
>  bug on the subject, and update your patch to be acceptable upstream.

By hiding behind upstream, you're simply refusing to fix the problem.
The patch is a hack that is only guaranteed to work on a Debian system,
and upstream will refuse it until it is done in a proper way. This is
not how things work. Forwarding fixes upstream is important but it
doesn't come before fixing the Debian bug.

> > As the situation is very similar in mplayer, mplayer is considered
> > RC-buggy by the security team. There was an exception for
> > gstreamer-ffmpeg because it was considered too difficult to fix, but I
> > don't think this is justified and this should be considered
> > release-critical as well.
>  Again, nothing new.  As you state yourself, this was already discussed
>  and an exception was granted.  Beside, you miss the important point
>  that gst-ffmpeg heavily patches (read: "replaces") the ffmpeg build
>  system, wihle mplayer has a close-to-vanilla ffmpeg tree.

The exception was granted because of this assumption, which is *entirely
wrong*, as gst-ffmpeg ships a vanilla ffmpeg tree. It took me less than
one hour to figure it out and to build a working package with the Debian
ffmpeg library.

>  "Dropping GStreamer 0.8 for etch" is not "building gst-ffmpeg against
>  Debian's ffmpeg"; any of these changes can be achieved in whatever
>  order, these are orthogonal, even if both would help security support
>  (in a different way).  As I'm not considering building gst-ffmpeg
>  against ffmpeg for etch, I kindly suggest we let this subthread die or
>  be continued in the upstream bug report where it would be more useful.

As the security people are the ones being really affected, I would like
to have Moritz' input on this matter. Are you ready to grant an
exception to gstreamer-ffmpeg and not to mplayer while the situation of
both packages is strictly identical?

Josselin Mouette                /\./\

"Do you have any more insane proposals for me?"

Reply to: