Select provider of libav* libraries

Sun May 17 01:28:28 UTC 2015

Hi Andreas,

Thank you for a very good overview.

On Fri, 15 May 2015 16:55:30 Andreas Cadhalpun wrote:
> FFmpeg is clearly better at fixing security issues.
> To take a random example, an out of bounds read in the bink decoder was
> fixed in FFmpeg three years ago [1], while Libav git master is still
> vulnerable today.
> [...]
> Interestingly Gentoo recently switched to FFmpeg by default [3] after
> conducting a survey [4]. About 300 people participated in that survey and
> the outcome was rather clear:
> 62%    [ 189 ]    "I prefer ffmpeg, and it should be the default."
>  4%     [ 15 ]    "I prefer libav, and it should be the default."
> [...]
> > Maybe Moritz can elaborate on this.
> 
> It seems he already did [11]:
> "I think ffmpeg is doing better in terms of handling security issues; when
> I contacted Michael Niedermeyer in private we has always quick to reply,
> while libav-security@ seems understaffed: Several queries in the past needed
> additional poking, some were left unaddressed until today. Also, the Google
> fuzzer guys stated that more samples are unfixed in libav compared to
> ffmpeg."
> [...]
> 3: http://thread.gmane.org/gmane.linux.gentoo.devel/95339/focus=95585
> 4: https://forums.gentoo.org/viewtopic-t-1010096.html
> 11: https://lists.debian.org/debian-devel/2014/08/msg00060.html

After the above I don't need any more evidence to support transition to
ffmpeg.

There are benefits of reducing differences from other distros who already uses
ffmpeg. After all with ffmpeg we will benefit from better upstream support.

IMHO if Moritz thinks that ffmpeg is better from security prospective it means
that we don't have a case for libav any more. I am now convinced that it will
be better for Debian to use ffmpeg.

I also found an interesting comparison where "mpv" upstream shares their
assessment of the problem:

  https://web.archive.org/web/20150115005029/https://github.com/mpv-player/mpv/wiki/FFmpeg-versus-Libav

-- 
Best wishes,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

It is a mistake to try to look too far ahead. The chain of destiny can only
be grasped one link at a time.
        -- Winston Churchill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150517/555c12fa/attachment-0001.sig>