Bug#729203: Packaging for FFmpeg avoiding conflicts with libav
On Sat, Feb 22, 2014 at 08:18:20PM +0100, Andreas Cadhalpun wrote:
> >>Adrian, do you agree that this is sane?
> >>
> >>If the security team is not willing to support both, they can ask the TC
> >>to decide which one to use, but this does not prevent an upload of FFmpeg.
> >
> >I don't see why security would complain: as things stand there are
> >hundreds of security issues that have been fixed in ffmpeg (see the
> >Google audit) which have not been fixed in libav... It seems to me
> >ffmpeg is only more secure than libav at this point...
>
> Previously, Moritz Mühlenhoff from the security team voiced his
> concerns about having to apply security fixes for both [1]:
> "But we still try to minimise such cases as much as possible. And for
> libav/ffmpeg this simply isn't managable at all due to the huge stream
> of security issues trickling in. We need definitely need to pick one
> solution only."
>
> I do not share these concerns, as there are e.g. mysql and mariadb
> happily coexisting
They are not "happily coexisting", we'll be working with the release
team to sort this out for jessie.
>, but then again, I'm not on the security team.
Exactly. It makes it really easy to not share concerns if you're not
affected by the work imposed from the decision.
> But should they decide that it will not be possible to support both
> packages for security updates, your argumentation would clearly
> favor ffmpeg over libav, probably leading to the removal of libav
> from the archive.
I don't think that's the case. We've looked into many security issues
in ffmpeg which didn't affect libav, either because experimental
code wasn't merged yet or because code was rewritten in libav and not
affected. Also ffmpeg hasn't have long term branches which is a major
benefit of libav.
Cheers,
Moritz
Reply to: