On 25.02.2014 22:18, Yves-Alexis Perez wrote:
On Tue, Feb 25, 2014 at 06:23:20PM +0100, Andreas Cadhalpun wrote:No, it means I don't have the time, nor nerve to discuss this. We're after all busy to keep Debian secure and sick of maintainers who only focus on their pet package and neglegt the overall maintainability of the Debian archive.While I always stated that I'm open to discussion, you just ended the discussion after trying to block FFmpeg from entering Debian, which I do not find very constructive.My feeling is that this was discussed over and over and Moritz is /slighly/ tired of repeating the same thing over and over. And me replying to this mail doesn't mean I'm willing to engage in a large thread on this, the security team position has been given.
My impression has been /slightly/ different: Moritz made dubious claims about FFmpeg:
"We've looked into many security issues in ffmpeg which didn't affect libav, either because experimental code wasn't merged yet or because code was rewritten in libav and not affected. Also ffmpeg hasn't have long term branches which is a major benefit of libav."After I have questioned these, Moritz simply left the discussion. But maybe I didn't understand what Moritz wanted to say?
I want to see FFmpeg in Debian and I'm interested in any constructive discussion about problems that might bring for others. If you don't have time for such a discussion that is a pity.Well, as it was already sated, the discussion needs to happen with libav maintainers (and reverse dependencies indeed).
What do you think a discussion with them will gain?Maybe it's not clear to everyone: Upstream FFmpeg and upstream libav are not exactly friendly towards each other. Furthermore some important developers of libav are among the Debian maintainers of libav. Therefore I fear that any discussion with the libav maintainers about FFmpeg would likely end in a flamewar, which I tried to avoid.
Therefore I packaged FFmpeg in a way that doesn't conflict with libav, so that FFmpeg in Debian is neither a concern for the libav developers nor for anyone who wants to use libav, but that allows those, who need FFmpeg due to the additional features it provides, to use it.
But then the security team represented by Moritz stated that they would not support both FFmpeg and libav, so they are the only ones affected negatively by FFmpeg in stable. Thus I think it doesn't make much sense to discuss with anyone but the security team.
Ideally the security team should now evaluate which of the two are better from a security point of view and based on this decide, which one they would prefer to see in jessie.
But if they don't, someone else will have to make this decision. Best regards, Andreas