[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian

Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> writes:

> I must have failed to make my point again. :(
> As far as I know there are hundreds of security updates (for all packages
> together) in the lifetime of a stable release. Compared to that 10 is not
> large. And, as I already mentioned, I think that some of the FFmpeg
> updates are minor enough to go through stable-updates.

> It doesn't make a software less secure, if (even minor) security fixes get
> backported even to old release branches, rather the contrary.

Well... backporting security fixes more of a bare minimum -- that's just
something that has to happen if we're going to support the software at
all, with a handful of exceptions where the software is, for one reason or
another, important enough that we're willing to release with it even
though security patches aren't backported properly and then terminate
support in the middle of our normal stable process.

But software should also not pose a significant security load in the first
place.  That quantity of security vulnerabilities tells me that something
is deeply wrong with FFmpeg as an upstream source base.  That's a sign of
code with a bad smell.

Now, that doesn't necessarily mean that it doesn't belong in Debian.
Sometimes we have to hold our nose and live with that, and it sounds like
libav isn't necessarily a lot better.  But those are really painful
statistics that, to me at least, indicate the world is crying out for a
replacement code base that accomplishes the same goals but was written
with a higher level of quality in mind.

Obviously easier said than done, of course.

Is upstream aware that this is a really bad track record and trying to do
something proactive to increase the quality of the code, like
comprehensive auditing, or proactive rewrites to use more secure coding
practices such as some of the work that the LibreSSL team has been doing?

I'm sympathetic to the concerns of the security team and the release team
about supporting two code bases with this much security activity in a
stable release.  Maybe it's still the right thing to do, but that's a lot
of work for them.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: