On 2022-04-09 14:39:36 +0000, Vasyl Gello wrote: > Hi Sebastian! > > >That's a no-go from me. If bugs need to be fixed in ffmpeg, please get > >them integrated in upstream ffmpeg. I'm not interested in maintaing a > >ffmpeg-for-kodi patchset in Debian. > > OK, I totally understand your point. Previously VideoLAN rejected Kodi > patchsets as useless for upstream (or beneficial only to Kodi). ffmpeg and libdvd* are not maintained by the same teams. > Of course I can split patched libdvdread, libdvdnav and ffmpeg into > separate source packages and maintain them myself, but what is > the proper way to get all the CVE fixes same day you get it? Before you introduce another copy of ffmpeg into the archive, please talk to the security team. Given the high number of CVEs, I would recommend against it. > I am not a member of Security Team and not even a Debian Maintainer, > if that matters. And on the other side I don't want to keep embedded copies > of video libraries regularly exploited with various vulnerabilities. How can > we solve this dilemma? I don't think that maintaing two copies of ffmpeg sustainable. ffmpeg is simply too big with too many CVEs for that. The best way forward would be for kodi to not rely on some patches in their ffmpeg builds. Cheers -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature