[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#395252: ignore bug 395252 'mplayer embeds ffmpeg' for lenny

On Wed, Jun 18, 2008 at 02:09:06PM +0200, A Mennucc wrote:
> On Wed, Jun 18, 2008 at 10:29:17AM +0100, Neil McGovern wrote:
> > Neither, it's the RC policy which carries more weight than a RG:
> > http://release.debian.org/lenny/rc_policy.txt
> > 
> > 5a) Packages in the archive must not be so buggy or out of date that we
> > refuse to support them.
> > 
> > The security team has confirmed multiple times that this is no longer
> > supportable.
> 
> Your phrase "no longer" confirms that there is a fundamental
> misunderstanding in this point.
> 
> The package 'mplayer' is not 'so buggy', it has 40 bugs,
> and that is average. 
> The only RC bug that 'mplayer' has is 395252.
> 
> This bug says "mplayer requires too much security maintainance work due to
> embedded ffmpeg copy".
> 
> But this "too much security work" was claimed even before etch was
> released, and is a claim that had and still has no supporting facts.
> 
> Indeed 'mplayer' had 3 security updates so far in Etch. 
> No one of those security updates was fixed by patching
> code in the ffmpeg library.
> 
> So this whole bug 395252 is based on an apriori assumption;
> moreover this assumption was proved wrong by facts.
> 
> Summarizing, you are deciding that mplayer is too buggy to be
> supported because of a bug that claims that same argument.
> 
> Don't you see how circular this whole reasoning is?
> 
> ----
> 
> Not to mention that, for reasons behond my comprehension,
> mplayer is the only package targetted by this reasoning.
> 
> 1) As I said in the other email, the policy 3.8.0
> now contains a paragraph [14.3] against embedded copies,
> that is though waived for Lenny. For some reasons, you
> do not accept that mplayer be given the same treatment.
> 
> 2) Another point is that
> http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0
> lists many packages which ship embedded copies.  One example is
> mozilla/iceweasel/iceape.  Iceweasel had 9 security bugs in Etch.
> Iceweasel has ~500 bugs (!!). So iceweasel should be kept out of
> Lenny, since it contains embedded copies of code and is quite
> buggy. But no one is ever posting this RC bug.  Why? Beats me.

Note iceweasel 3.0, which is planned for Lenny, while it contains
embedded copy of code, does *not* use it. Find another example.

Mike
Reply to: