Bug#774800: libav: take measurements not to include or automatically download binary blobs
Sebastian Ramacher
sramacher at debian.org
Wed Jan 7 19:17:56 UTC 2015
On 2015-01-07 20:12:30, Christoph Anton Mitterer wrote:
> On Wed, 2015-01-07 at 20:07 +0100, Sebastian Ramacher wrote:
> > So, no bug here. There's not even an alpha release of libav 12 available
> > yet.
> Well... first, it was severity=wishlist, thus not necessarily a bug...
> and 2nd, these changes will likely hit a release or may be introduced
> via some snapshot release... and I think it's better to have a
> notification that actions need to be taken then (downloading the blob
> wouldn't just be a security compromise, but also a policy violation)...
> in order not to fall into the same trap as iceweasel packages did.
>
> Ignorantly closing this however, without any further discussion, doesn't
> really shed a very bright light on security conscious decisions in the
> maintenance process, does it?
Do you understand the change you've linked to? I don't see a downloader
anywhere. The user needs to download OpenH264 and rebuild libav to get
OpenH264 support. So as long there is no package in Debian providing
OpenH264, there won't be support for it in the libav package.
Cheers
--
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150107/dfaa0ad4/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list