Hi Moritz,
On 30.09.2014 22:45, Moritz Mühlenhoff wrote:
On Sun, Sep 28, 2014 at 11:27:03AM +0200, Andreas Cadhalpun wrote:
So would you please explain why you see a problem?
It has all been written before, I'm not going to repeat
it all over again. We can pick libav _or_ ffmpeg for jessie+1.
The above doesn't contain any explanation, why you think FFmpeg can't be
supported in jessie. It does not even contain a pointer to where such an
explanation has supposedly been written before.
EOD for me.
You made similar statements before and I must say that they are not part
of what I consider a constructive discussion.
I only remember two mails in which you provided some arguments against
having both:
In the early discussion on debian-devel you wrote [1]:
"But we still try to minimise such cases as much as possible. And for
libav/ffmpeg this simply isn't managable at all due to the huge stream
of security issues trickling in. We need definitely need to pick one
solution only."
The first sentence is about the general goal of reducing code
duplication, which I agree with, because duplicated code copies usually
make it harder to fix security issues.
But in the case of FFmpeg and Libav, this is not really a problem,
because FFmpeg upstream merges all security fixes from Libav.
And if chromium would use the system FFmpeg libraries instead of the
embedded FFmpeg copy, the overall code duplication wouldn't increase.
Then you continued that supporting FFmpeg in addition to Libav would not
be possible due to the huge amount of security fixes.
But FFmpeg had only 7 CVEs in 2014, while e.g. MySQL had 37 and chromium
had 64, which are much larger numbers.
In the FFmpeg ITP bug you stated [2]:
"Exactly. It makes it really easy to not share concerns if you're not
affected by the work imposed from the decision. "
While it is true that I'm not part of the security team, I would still
be the one to actually package the upstream security fixes for FFmpeg.
The security team would only have to review those and send out a DSA.
Chromium using a local copy of the lib doesn't matter in
practice since we need to spin updates for the browser
security bugs anyway.
So for chromium code duplication doesn't matter?
Debian policy doesn't matter?
And it doesn't matter because chromium needs so many security fixes that
a few more don't hurt?
This completely contradicts what you wrote in [1] with regard to code
duplication and also with regard to the supposedly huge amount of
security fixes for FFmpeg.
As I have explained multiple times before, I don't see how your
arguments would be sufficient for blocking FFmpeg from jessie.
Best regards,
Andreas
1: https://lists.debian.org/debian-devel/2014/02/msg00668.html
2: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729203#435
3: https://security-tracker.debian.org/tracker/source-package/ffmpeg
4:
https://security-tracker.debian.org/tracker/source-package/chromium-browser
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
