Re: Bug#763148: Prevent migration to jessie
On 29.04.2015 12:28, Emilio Pozuelo Monfort wrote:
> On 29/04/15 10:41, Bálint Réczey wrote:
>> 2015-04-29 9:44 GMT+02:00 Emilio Pozuelo Monfort <pochu@debian.org>:
>>> On 27/04/15 00:30, Andreas Cadhalpun wrote:
>>>> On 27.04.2015 00:01, Emilio Pozuelo Monfort wrote:
>>>>> On 26/04/15 19:06, Andreas Cadhalpun wrote:
>>>>>> Dear release team,
>>>>>>
>>>>>> as you undoubtedly know: jessie has been released! \o/
>>>>>>
>>>>>> Thus this bug is now obsolete and I'm closing it.
>>>>>>
>>>>>> Please remove the testing migration block of ffmpeg.
>>>>>
>>>>> I don't think you understand the problem.
>>>>>
>>>>> Having both ffmpeg and libav in the same release is the problem.
>>>>
>>>> But having mysql-5.5 and mariadb-10.0 in jessie is apparently no
>>>> problem, despite previous claims. What's the difference?
It would really be nice to get an answer for this question.
>>>>> So at this moment, that "block" hint is not going to be removed.
>>>>
>>>> When will it be removed, if not now?
>>>>
>>>> Previously Moritz Mühlenhoff wrote [1]:
>>>> "After the jessie release a decision between libav and ffmpeg will need
>>>> to be made. It certainly possible to have them co-exist for a year or
>>>> so, but the decision needs to be made before the jessie+1 freeze."
>>>>
>>>> How do you think this should go forward?
>>>
>>> You could ask the TC to decide between the two. As it happened with #717076 for
>>> example.
The TC is only a last resort, used when the normal processes fail.
It would be much better if they would work.
Therefore I'm planning to discuss a possible transition from
Libav to FFmpeg with the maintainers of the reverse dependencies,
before asking the TC for a resolution.
However this will take time and I don't see any reason to block
ffmpeg from testing during this time.
It could be removed again before stretch is released, should that
prove necessary.
>> There is no need to ask TC (yet), it is blocked by Julien:
>> https://release.debian.org/britney/hints/jcristau
>>
>> Dear Julien,
>>
>> Could you please lift the unblock now since Jessie has been released
>> and we generally don't ban packages from entering testing based on
>> duplicate functionality?
>
> Sigh. This has been said multiple times, but I'll explain it again.
>
> We do block stuff based on security concerns.
>
> Since there are concerns on shipping both libav and ffmpeg,
Just for your information: I'm currently in the process of finding and
fixing FFmpeg's remaining potentially security relevant bugs by systematically
fuzzing its demuxers/decoders with afl [1].
Once that's done (hopefully in the not too far future) security concerns
regarding FFmpeg should become more or less void.
And anyway, as far as I know, the only security support for testing comes
through unstable. So it's not like having FFmpeg in testing would increase
the workload of the security team.
> we won't allow
> ffmpeg unless it is chosen to be the default and there is a clear transition
> plan, so that we can switch from one to the other. Only then will the block hint
> be removed.
>
> Hope that is clear.
Let me take your example of libjpeg-turbo: It has been in testing, when
the TC bug #717076 [2] was filed and during the year the decision was debated there,
except for a short time, were it was removed due to concrete unfixed security
issues [3].
It is not clear to me, why a similar treatment should not be possible for ffmpeg.
Best regards,
Andreas
1: https://tracker.debian.org/pkg/afl
BTW: Thanks to Jakub Wilk for packaging afl!
2: https://bugs.debian.org/717076
3: https://bugs.debian.org/729873
Reply to: