Hi Alessandro, sorry for the delay in getting back to you. It took me some time to get an informed opinion about this.
On 24.05.2015 12:50, Alessandro Ghedini wrote: > I was looking at the various dependencies of the -ffmpeg packages, and it > seems > to me some of them are a bit superfluous. For example: > > - Do we really need 2 different MP3 encoders (libmp3lame and libshine)? > - Given the libmp3lame support, what's the purpose of libtwolame? > - What is the purpose of the libopenjpeg support given that ffmpeg has its > own built-in JPEG2000 encoder/decoder? These are used to provide secondary implementations of some en-/decoers. There are a few libraries ffmpeg uses only for this purpose: * libopenjpeg * libshine * libtwolame * libvorbis * libwavpack * libxvid > Other stuff seems a bit niche to me (e.g. the libzmq thing in libavfilter), > but > I guess someone could find that useful. Probably. > I mean, if people actually ask for these features then I see no problem, but > you might want to reduce the number of dependencies otherwise, to reduce the > attack surface of the ffmpeg packages. > > Any thought? I don't think these external libraries increase the attack surface much. Encoders, muxers and filters can't be easily exploited, because unlike decoders and demuxers, they are usually used manually and with more or less trusted content. Additionally, and also for demuxers/decoders, the native implementation is used if the external library is not manually selected. So security bugs in secondary decoders can't be easily exploited. On the other hand I checked the external decoders and while most seem rather unproblematic, two crash quite often: * libopenjpeg (#787275 [1]) * libschroedinger (#787957 [2]) So if these issue won't get fixed in a reasonable timeframe, I'll consider disable those two decoders. Best regards, Andreas 1: https://bugs.debian.org/787275 2: https://bugs.debian.org/787957 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
