Select provider of libav* libraries

Sun May 24 17:13:26 UTC 2015

Hi All,

I have contacted Moritz asking him to share his opinion regarding
FFmpeg/Libav. He is not on the list thus asked me to forward his
email.
Please see his answer inline.

2015-05-18 15:11 GMT+02:00 Alessandro Ghedini <ghedo at debian.org>:
> On lun, mag 18, 2015 at 01:47:25 +0100, Alessio Treglia wrote:
>> Ciao Alessandro,
>>
>> and thanks for sharing your thoughts, it's genuinely appreciated.
>>
>> On Mon, May 18, 2015 at 1:26 PM, Alessandro Ghedini <ghedo at debian.org> wrote:
>> > And it's already clear that libav just doesn't provide enough security coverage,
>>
>> Can you please elaborate? AFAICS the versions in oldstable (0.8.17)
>> and stable (11.3) are actively maintained upstream.
>> Honestly that looks quite enough of security support.
>
> The security tracker lists three vulnerabilities that don't have patches in
> libav.git (but are fixed in ffmpeg in sid):
> https://security-tracker.debian.org/tracker/source-package/libav
>
> ffmpeg also provides a helpful security page that associates CVE ids with git
> commits for easy cherry-picking (libav doesn't do this):
> http://ffmpeg.org/security.html
>
> Plus see what Moritz (from the Security team) said about ffmpeg security
> responses (Andreas already mentioned this, but I think it's relevant here as
> well):
>
>> I think ffmpeg is doing better in terms of handling security issues; when
>> I contacted Michael Niedermeyer in private we has always quick to reply,
>> while libav-security@ seems understaffed: Several queries in the past needed
>> additional poking, some were left unaddressed until today. Also, the Google
>> fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.
>
> https://lists.debian.org/debian-devel/2014/08/msg00060.html

2015-05-24 12:44 GMT+02:00 Moritz Muehlenhoff <jmm at inutil.org>:
... (part directed to me)
> -------------------------------------
> What I wrote at https://lists.debian.org/debian-devel/2014/08/msg00060.html
> effectively still holds:
>
> | I think ffmpeg is doing better in terms of handling security issues; when
> | I contacted Michael Niedermeyer in private we has always quick to reply,
> | while libav-security@ seems understaffed: Several queries in the past needed
> | additional poking, some were left unaddressed until today. Also, the Google
> | fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.
>
> Several of the recently fixed libav security issues were only fixed because I
> contacted Michael Niedermeyer for the reproducers and reproduced them with
> libav git. There's no special Chrome test harness, all you need to do is rebuild
> libav with asan and exercise the reproducers.
> libav doesn't do that on it's own which I find disappointing since ffmpeg is
> obviously a fairly big part of their larger software ecosystem. This seems
> to caused by two factors:
> - lack of manpower in libav
> - a general animosity
>
> Another factor in favour of ffmpeg is the support maintenance. As Andreas quoted
> the libav 0.8 branch we use in wheezy will be EOLed soon. ffmpeg in contrast
> even made updates to the 0.5 branch in November (i.e. the version in squeeze)
>
> So summarising my personal perspective from being in the security team: We could
> live with either solution, but by now I personally have a preference towards ffmpeg
> with the lack of manpower in libav being the decisive factor.
>
> Also as a user of mpv in jessie I find the lack of external vobsub parsing
> support rather annoying. It's a frequent issue I personally run into (as a workaround
> mplayer2 can be used, but that's not ideal).
> -------------------------------------
>

Cheers,
Balint