Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian

[Russ Allbery <rra@debian.org>]

Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> writes:

> Given the amount of software in Debian and thus the amount of security
> fixes necessary for a stable release, I think that the additional
> stable-security uploads for FFmpeg in the order of 10 per release will
> be hardly noticeable.

Er, 8 security updates over the course of a stable release is already very
high.  Wouldn't adding another 10 make that the least secure source
package in Debian?  I believe that's worse than web browsers, which have a
very large attack surface and huge numbers of active and well-funded
attackers.  And this is just for a multimedia library.

I suppose it depends on how many of those could be grouped into one
update, and each Iceweasel update usually has multiple fixed CVEs, so
maybe this isn't an entirely fair comparison.  But still, those are
jaw-dropping numbers.

> While I understand and agree with the general idea of reducing code
> duplication, I have a really hard time trying to understand why the
> security team has such a strong opposition to the idea of having both
> FFmpeg and Libav in Debian stable.

Because the sorts of numbers that you're talking about indicate that this
code is a complete security disaster.

> What is particularly hard for me to understand is why e.g. MySQL and
> MariaDB can be in testing at the same time without much resistance from
> the security team, but FFmpeg and Libav can apparently not.

MySQL is already a security update problem due to Oracle's very unhelpful
attitude towards security patches.  And we're still talking about rather
fewer security vulnerabilities than this, I believe.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>