Bug#729203: Packaging for FFmpeg avoiding conflicts with libav
On Tue, Feb 25, 2014 at 11:30:25PM +0100, Andreas Cadhalpun wrote:
> On 25.02.2014 22:18, Yves-Alexis Perez wrote:
>> On Tue, Feb 25, 2014 at 06:23:20PM +0100, Andreas Cadhalpun wrote:
>>>> No, it means I don't have the time, nor nerve to discuss this. We're
>>>> after all busy to keep Debian secure and sick of maintainers who only
>>>> focus on their pet package and neglegt the overall maintainability
>>>> of the Debian archive.
>>>
>>> While I always stated that I'm open to discussion, you just ended
>>> the discussion after trying to block FFmpeg from entering Debian,
>>> which I do not find very constructive.
>>
>> My feeling is that this was discussed over and over and Moritz is
>> /slighly/ tired of repeating the same thing over and over. And me
>> replying to this mail doesn't mean I'm willing to engage in a large
>> thread on this, the security team position has been given.
>
> My impression has been /slightly/ different: Moritz made dubious claims
> about FFmpeg:
> "We've looked into many security issues
> in ffmpeg which didn't affect libav, either because experimental
> code wasn't merged yet or because code was rewritten in libav and not
> affected. Also ffmpeg hasn't have long term branches which is a major
> benefit of libav."
>
> After I have questioned these, Moritz simply left the discussion. But
> maybe I didn't understand what Moritz wanted to say?
Yes, it's the latter: I didn't badmouth ffmpeg in any way: it was said that libav
fixed less Google fuzzer samples than libav; for which I added my observation that when
I looked at several CVE assignments for ffmpeg fixes the affected code
didn't exist in libav releases and that explains the difference in numbers.
That doesn't mean that ffmpeg is worse than libav, it simply means that the
code has diverged and different code is affected.
Cheers,
Moritz
Reply to: