* Andreas Cadhalpun (andreas.cadhal...@googlemail.com) [140928 14:36]:
> On 28.09.2014 12:47, Andreas Barth wrote:

>> The release policy does say "Packages must be security-supportable". I
>> would be surprised if a statement from the security team (assuming
>> that Moritz raised that bug report with his security team-hat on and
>> not privately) that they would like to have only one of libav and
>> ffmpeg in jessie would be overruled by the release team.
>
> Nonetheless both are in wheezy and will be in jessie, unless chromium  
> gets removed from testing.

There is a distinction between an old and a new package.

However (and please note that I'm not a member of the security team
and just speak for myself here as always when not otherwise marked) if
it would be possible to replace the internal code copy in chromium
by a reference to ffmpeg (but it's not possible with libav), that will
probably lead to a re-evalutation. (That doesn't necessarily mean
"sucess guranteed", but it looks to me as it will not make things
worse.)

Perhaps you always intended that, but at least I didn't understand it
that way yet.


> I absolutely cannot understand why the security team would prefer to  
> have an embedded code copy instead of a properly packaged library.

I don't think they do that. However, I can understand why one embedded
code copy is better than one embedded code copy plus a library in
addition to it.




Andi


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to