[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#729203: [FFmpeg-devel] Reintroducing FFmpeg to Debian

Josselin Mouette <joss@debian.org> schrieb:
> Le jeudi 31 juillet 2014 à 22:19 +0200, Pau Garcia i Quiles a écrit :
>> How is it better to have libav, which does a lot less security
>> bugfixing, in?
>> I'd rather have a library that fixes bugs than one that passes in
>> order to look "more secure". When in fact it's less.
> I have no informed opinion on whether ffmpeg or libav is better. On the
> security front, it looks indeed like ffmpeg is doing better but it is
> still hearsay.

I think ffmpeg is doing better in terms of handling security issues; when
I contacted Michael Niedermeyer in private we has always quick to reply,
while libav-security@ seems understaffed: Several queries in the past needed
additional poking, some were left unaddressed until today. Also, the Google 
fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.


Reply to: