Hi Michael, On 26.02.2014 02:44, Michael Gilbert wrote:
On Tue, Feb 25, 2014 at 8:39 PM, Michael Niedermayer wrote:Id like to volunteer to help with any future security issues in FFmpeg packages in debian.The best place to start is testing and (more preferably) patches for the present libav issues. There are 18 of them: https://security-tracker.debian.org/tracker/source-package/libav
Thanks for trying to make a constructive comment, but I'm not sure what you want Michael Niedermayer to do.
Quoting myself [0]:"[...] I would be very interested in an explanation of the current state of the security tracker for libav [1], as *all* issues currently marked as open for libav are CVEs issued by FFmpeg about problems they fixed [2]. One, CVE-2011-3935, is even several years old *and* fixed for the FFmpeg in old-stable! I don't know whether to laugh or cry."
Maybe you thought it was a joke? It was not, just compare the CVE numbers on [1] and [2]. I don't know if these actually affect libav, but I guess they wouldn't be on the security tracker, if they didn't. These CVEs are usually linked to the git commits that fix the problems, so there are already tested (in the sense that FFmpeg uses them) patches.
If you want Micheal Niedermayer to send these patches to libav upstream, I think you would have to convince them to remove some bans from their mailing lists. Good luck with that.
Best regards, Andreas 0: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729203#475 1: https://security-tracker.debian.org/tracker/source-package/libav 2: https://ffmpeg.org/security.html