Select provider of libav* libraries
Alessandro Ghedini
ghedo at debian.org
Mon May 18 13:11:03 UTC 2015
On lun, mag 18, 2015 at 01:47:25 +0100, Alessio Treglia wrote:
> Ciao Alessandro,
>
> and thanks for sharing your thoughts, it's genuinely appreciated.
>
> On Mon, May 18, 2015 at 1:26 PM, Alessandro Ghedini <ghedo at debian.org> wrote:
> > And it's already clear that libav just doesn't provide enough security coverage,
>
> Can you please elaborate? AFAICS the versions in oldstable (0.8.17)
> and stable (11.3) are actively maintained upstream.
> Honestly that looks quite enough of security support.
The security tracker lists three vulnerabilities that don't have patches in
libav.git (but are fixed in ffmpeg in sid):
https://security-tracker.debian.org/tracker/source-package/libav
ffmpeg also provides a helpful security page that associates CVE ids with git
commits for easy cherry-picking (libav doesn't do this):
http://ffmpeg.org/security.html
Plus see what Moritz (from the Security team) said about ffmpeg security
responses (Andreas already mentioned this, but I think it's relevant here as
well):
> I think ffmpeg is doing better in terms of handling security issues; when
> I contacted Michael Niedermeyer in private we has always quick to reply,
> while libav-security@ seems understaffed: Several queries in the past needed
> additional poking, some were left unaddressed until today. Also, the Google
> fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.
https://lists.debian.org/debian-devel/2014/08/msg00060.html
> > I'm implying that users have been asking for what they need (ffmpeg) for a long
> > time, and Debian isn't providing it.
>
> Well, that is an alleged opinion, not fact. Conversely libav backers
> couldn't say that "we are giving the users all what they really really
> want and need".
> So please let's all just refrain from taking this as we're 100% to
> have joined the battle on the right side ;)
Fair enough. I was trying to understand Jonas' point of view but I may have
been carried away at times, sorry about that everyone.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150518/40b5461f/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list