[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004831: transition: ffmpeg

On 2022-07-05 08:33:07, Neil Williams wrote:
> On Sun, 03 Jul 2022 23:26:46 -0500 Steven Robbins <steve@sumost.ca>
> wrote:
> > Hello,
> > 
> > On Wed, 22 Jun 2022 22:13:11 +0200 Sebastian Ramacher
> > <sramacher@debian.org> wrote:
> > 
> > > ffmpeg got a new major release including API and ABI breakage.
> > > Hence, it needs a transition. The reverse dependencies are not yet
> > > ready, so this bug is just a heads up and should help to track
> > > progress. Due to ffmpeg's security record, we should complete this
> > > transition for bookworm.
> 
> There isn't much that can reasonably be done within Debian for this
> transition, it's all dependent on upstream work. It seems unlikely that
> any of the affected packages will be able to clear this transition
> with a limited Debian-specific patch.
> 
> https://github.com/void-linux/void-packages/pull/36315 is a useful
> overview on how various upstream projects are progressing (or not) for
> ffmpeg5. It's patchy and slow progress. It seems unlikely that any
> Debian-specific timelines will have any effect on the rate of progress.

Plenty of Debian maintainers of the affected packages did not even
bother to report the issues upstream. Plenty of packages also have links
to upstream fixes. If maintainers cannot be bothered to check and
upload those fixes, we should probably look into removing those
packages instead of keeping them on life support.

> > Reverse dependencies had 4 months to fix their bugs, so I'm going
> > ahead with this one.
> 
> Not even close to enough time for all affected upstream teams.

The 4 months only reflects the Debian timeline. If upstreams are not
able to track the constant changes in ffmpegs API, please propose to
them to switch to higher level abstractions such as ffms2 or gstreamer.

> > Yes, well as noted: this is a major release with ABI and API
> > breakage.  It is unrealistic to expect the entire open source world
> > to adopt this all at once. Digikam upstream, for example, is working
> > on the transition, but it is not straightforward.  Current
> > recommendation is to continue to build against the version 4 API [1].
> > 
> > Consider reintroducing the ffmpeg 4 libraries alongside version 5.
> 
> I suspect that will come down to which packages are still affected in a
> few months time and the relative importance of having specific packages
> in bookworm. It does seem reasonable to consider this now and work out
> just what would be required and what can be skipped.
> 
> The autoremovals from testing will start to happen soon, that's a
> chance to run up a few clean bookworm VMs and see what is missing.
> 
> Debian has GTK3 and GTK4, Qt5 and Qt6 etc., it's not ideal and it is a
> lot of work but it may be necessary to have libavcodec4-dev and
> libavcodec-dev with a new source package ffmpeg4 alongside ffmpeg.

ffmpeg has a bad history of security issues including RCEs. It requires
too many DSAs for both stable and oldstable. So I am only
going to maintain one ffmpeg version for a specific Debian release.
Anything else needs coordination with the security team.

Cheers
-- 
Sebastian Ramacher
Reply to: