* Andreas Cadhalpun (andreas.cadhal...@googlemail.com) [140928 14:36]: > On 28.09.2014 12:47, Andreas Barth wrote:
>> The release policy does say "Packages must be security-supportable". I >> would be surprised if a statement from the security team (assuming >> that Moritz raised that bug report with his security team-hat on and >> not privately) that they would like to have only one of libav and >> ffmpeg in jessie would be overruled by the release team. > > Nonetheless both are in wheezy and will be in jessie, unless chromium > gets removed from testing. There is a distinction between an old and a new package. However (and please note that I'm not a member of the security team and just speak for myself here as always when not otherwise marked) if it would be possible to replace the internal code copy in chromium by a reference to ffmpeg (but it's not possible with libav), that will probably lead to a re-evalutation. (That doesn't necessarily mean "sucess guranteed", but it looks to me as it will not make things worse.) Perhaps you always intended that, but at least I didn't understand it that way yet. > I absolutely cannot understand why the security team would prefer to > have an embedded code copy instead of a properly packaged library. I don't think they do that. However, I can understand why one embedded code copy is better than one embedded code copy plus a library in addition to it. Andi -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
