Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
- To: email@example.com
- Subject: Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
- From: Moritz Mühlenhoff <firstname.lastname@example.org>
- Date: Sun, 3 Aug 2014 14:04:17 +0200
- Message-id: <[🔎] email@example.com>
- References: <53D5895B.firstname.lastname@example.org> <email@example.com> <53D7CF25.firstname.lastname@example.org> <38022338.xExGetmtcr@eee> <53D80EDA.email@example.com> <firstname.lastname@example.org> <53D82293.email@example.com> <firstname.lastname@example.org> <CAKcBoksdj+bEzT9bkGbLSD41JxAhSSwmNjMna5_qWU+HBupaDw@mail.gmail.com> <[🔎] email@example.com>
Josselin Mouette <firstname.lastname@example.org> schrieb:
> Le jeudi 31 juillet 2014 à 22:19 +0200, Pau Garcia i Quiles a écrit :
>> How is it better to have libav, which does a lot less security
>> bugfixing, in?
>> I'd rather have a library that fixes bugs than one that passes in
>> order to look "more secure". When in fact it's less.
> I have no informed opinion on whether ffmpeg or libav is better. On the
> security front, it looks indeed like ffmpeg is doing better but it is
> still hearsay.
I think ffmpeg is doing better in terms of handling security issues; when
I contacted Michael Niedermeyer in private we has always quick to reply,
while libav-security@ seems understaffed: Several queries in the past needed
additional poking, some were left unaddressed until today. Also, the Google
fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.