Bug#575575: Fwd: Bug#575575: Should in-source timidity be disabled?
Matthew W. Miller
mwmiller at columbus.rr.com
Sun Dec 4 20:42:01 UTC 2011
On Sat, Dec 03, 2011 at 02:01:34PM +0000, Manuel A. Fernandez Montecelo
wrote:
> I was thinking about disable the in-source use of timidity in
> SDL_mixer, mostly because it's an in-source copy of the code (which
> can make SDL_mixer and programs using it exploitable). However I
> don't know if this is possible, I don't know much about MIDI, and just
> took over maintenance of this package. Can you help me to make some
> informed decision?
Greetings. First, thank you for taking over SDL_mixer!
Now, about timidity and MIDI music. Of course the version of
timidity embedded in SDL_mixer is very old (before it was forked off
into timidity++) because of licensing conflicts, and bug reports like
this one have been because of its bugs and shortcomings. I don't know
about any security holes in the old version of timidity, though -- are
there any security alerts posted anywhere?
Unfortunately, native_midi_gpl isn't very flexible. It hits the
hardware (GUS, AWE, FM or OPL3) directly, which isn't very clean or
compatible. So I'd recommend leaving timidity enabled even if
native_midi_gpl is enabled, just from a usability perspective.
More information about the Pkg-sdl-maintainers
mailing list