Select provider of libav* libraries
dr at jones.dk
Fri May 15 09:13:31 UTC 2015
Quoting Reinhard Tartler (2015-05-15 09:23:13)
> Also, given that Libav supports significantly less codecs and formats
> (and in some cases specific variants or features of codecs), many
> security issues simply don't apply.
I find above important, not only for security but for long-term
maintenance in general.
To me the two libraries are like staying-bleeding-edge and conservative
flavors of roughly same API. Some upstreams favor bleeding edge - they
are not bound by several-year maintenance commitment like us - but we
really should favor the conservative of the two.
Just as Debian generally favors upstream formal releases over snapshots
of upstream development: Might be less exciting code, but in the context
of Debian "exciting" is a warning sign and "boring" is good!
If we must choose one I favor libav, and I envision a path to gradually
make room for both - by treating one as the lesser exciting alternative:
* For projects supporting both (either natively or by patching) either
link only against the boring one, or do as mpv linking boringly targeted
unstable and excitingly targeted experimental - both to aid in _library_
debugging and for those preferring to live on the edge.
* For projects supporting only ffmpeg release only to experimental
(for now - see below).
> What project is less effort for the security team?
> - I'd say Libav, the security patches have significantly better commit
> messages and descriptions, and generally make much more sense at least
> to me. Maybe Moritz can elaborate on this.
Nowadays the security team has a distinct way of flagging packages as
not-security-supported (see e.g. package debian-security-support).
If we consistently treat the libraries as boring vs. exciting like I
propose above, the security team might be convinced to tolerate both in
stable - flagging the exciting one and anything linked against it as
unsupported by them.
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
More information about the pkg-multimedia-maintainers