[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wheezy update for libav

On 13.09.2016 19:16, Moritz Muehlenhoff wrote:
> Markus Koschany wrote:
>> Just to be clear a new upstream libav doesn't need to coincide with a
>> Debian security update. It wouldn't do any harm though. Important is
>> that we only fix security related issues and leave possible features out
>> that are not strictly needed to fix the CVEs.
> This is not how libav security updates are handled in Debian; we've
> always shipped the 0.8.x and 11.x bugfix releases in -security.

Ok. I thought Diego's work on the 0.8 branch was the only reason why the
libav project would do another release. Otherwise I wonder why they
don't backport their security fixes. Anyway the general gist of my
message above is still true. A targeted fix is usually better for the
stability of a package but of course we can also package a new upstream
release. The important point is that we can verify somehow that we
really fix the open CVEs.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: