[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Supporting libav in wheezy

On Tue, 03 May 2016, Brian May wrote:
> I have a suspicion that many of these installs may be due libav being
> installed to satisfy dependancies. There are a large number of packages
> that do depend on libav.

Yes, that's obvious, a library is usually installed by way of
dependencies. But if you assume that people do not install packages
that they do not need, they are likely using libav even though indirectly
and they might be vulnerable to attacks. It's quite likely that the
impact might be less severe than if they were using the library to
processe remotely submitted data (and in which case one would hope that
they would have told us about it) but we have no way to know that really.

> Is it worth continuing with this?

I believe it is worth at least investigating what kind of external support
we can get and how much it will cost us, yes. Then we can decide whether
we can afford it and whether it is worth its price.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: