Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
- To: debian-devel@lists.debian.org
- Subject: Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 3 Aug 2014 14:04:17 +0200
- Message-id: <[🔎] slrnlts9a1.2k3.jmm@inutil.org>
- References: <53D5895B.2090102@googlemail.com> <lr7jjb$np3$1@ger.gmane.org> <53D7CF25.3040901@googlemail.com> <38022338.xExGetmtcr@eee> <53D80EDA.8040207@googlemail.com> <87ppgnhmym.fsf@windlord.stanford.edu> <53D82293.7010707@googlemail.com> <1406836447.13071.3.camel@kagura.malsain.org> <CAKcBoksdj+bEzT9bkGbLSD41JxAhSSwmNjMna5_qWU+HBupaDw@mail.gmail.com> <[🔎] 1406925100.13071.33.camel@kagura.malsain.org>
Josselin Mouette <joss@debian.org> schrieb:
> Le jeudi 31 juillet 2014 à 22:19 +0200, Pau Garcia i Quiles a écrit :
>> How is it better to have libav, which does a lot less security
>> bugfixing, in?
>
>> I'd rather have a library that fixes bugs than one that passes in
>> order to look "more secure". When in fact it's less.
>
> I have no informed opinion on whether ffmpeg or libav is better. On the
> security front, it looks indeed like ffmpeg is doing better but it is
> still hearsay.
I think ffmpeg is doing better in terms of handling security issues; when
I contacted Michael Niedermeyer in private we has always quick to reply,
while libav-security@ seems understaffed: Several queries in the past needed
additional poking, some were left unaddressed until today. Also, the Google
fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.
Cheers,
Moritz
Reply to: