Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
Hi Russ,
On 29.07.2014 23:30, Russ Allbery wrote:
Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> writes:
Given the amount of software in Debian and thus the amount of security
fixes necessary for a stable release, I think that the additional
stable-security uploads for FFmpeg in the order of 10 per release will
be hardly noticeable.
Er, 8 security updates over the course of a stable release is already very
high. Wouldn't adding another 10 make that the least secure source
package in Debian? I believe that's worse than web browsers, which have a
very large attack surface and huge numbers of active and well-funded
attackers. And this is just for a multimedia library.
I must have failed to make my point again. :(
As far as I know there are hundreds of security updates (for all
packages together) in the lifetime of a stable release. Compared to that
10 is not large. And, as I already mentioned, I think that some of the
FFmpeg updates are minor enough to go through stable-updates.
It doesn't make a software less secure, if (even minor) security fixes
get backported even to old release branches, rather the contrary.
Webbrowsers tend to have a lot more security issues and e.g. for Firefox
15 security releases are planned in two years[2]. More importantly,
Mozilla supports one release only for one year. That is much worse than
the case of FFmpeg.
As e.g. the chromium browser uses FFmpeg[3] it is also under the
scrutiny of the very same attackers and security researchers as webbrowsers.
I suppose it depends on how many of those could be grouped into one
update, and each Iceweasel update usually has multiple fixed CVEs, so
maybe this isn't an entirely fair comparison. But still, those are
jaw-dropping numbers.
For the numbers of CVEs fixed in each FFmpeg release, please have a look
at their security webpage[4]. Note how many of them get backported to
old releases and if one isn't, that's probably because the old release
didn't contain the vulnerable code.
While I understand and agree with the general idea of reducing code
duplication, I have a really hard time trying to understand why the
security team has such a strong opposition to the idea of having both
FFmpeg and Libav in Debian stable.
Because the sorts of numbers that you're talking about indicate that this
code is a complete security disaster.
Seen from a different point of view they show that the security support
of FFmpeg is very good.
What is particularly hard for me to understand is why e.g. MySQL and
MariaDB can be in testing at the same time without much resistance from
the security team, but FFmpeg and Libav can apparently not.
MySQL is already a security update problem due to Oracle's very unhelpful
attitude towards security patches. And we're still talking about rather
fewer security vulnerabilities than this, I believe.
So this gives me the impression that MySQL has a worse security support
than FFmpeg, which doesn't really help to understand why the security
team seems to be fine with having both forks of that in Debian testing.
Best regards,
Andreas
1: https://security-tracker.debian.org/tracker/source-package/libav
2: https://www.mozilla.org/en-US/firefox/organizations/faq/
3:
https://src.chromium.org/svn/trunk/deps/third_party/ffmpeg/README.chromium
4: https://ffmpeg.org/security.html
Reply to: