On 13.09.2016 19:16, Moritz Muehlenhoff wrote: > Markus Koschany wrote: >> Just to be clear a new upstream libav doesn't need to coincide with a >> Debian security update. It wouldn't do any harm though. Important is >> that we only fix security related issues and leave possible features out >> that are not strictly needed to fix the CVEs. > > This is not how libav security updates are handled in Debian; we've > always shipped the 0.8.x and 11.x bugfix releases in -security. Ok. I thought Diego's work on the 0.8 branch was the only reason why the libav project would do another release. Otherwise I wonder why they don't backport their security fixes. Anyway the general gist of my message above is still true. A targeted fix is usually better for the stability of a package but of course we can also package a new upstream release. The important point is that we can verify somehow that we really fix the open CVEs. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature