severity 580947 serious stop On Tue, May 11, 2010 at 07:39:12 (CEST), Joey Hess wrote:
> Reinhard Tartler wrote: >> Surely not. Chromium ships a *private* copy of ffmpeg, more precisely, a >> fork of ffmpeg called ffmpeg-mt. Debian does not include ffmpeg-mt >> because of bug #575600 (tagged wontfix). Moreover, Debian's copy of >> ffmpeg will always be out-of-date. >> >> I wonder why the security team hasn't vetoed this move... > > That seems incorrect, see #580947. Indeed, when examining the contents of the package chromium-browser_5.0.375.29\~r46008-3_i386.deb, it turns out that the package ships the following symlinks: ./usr/lib/chromium-browser/libavcodec.so.52 -> ../libavcodec.so.52 ./usr/lib/chromium-browser/libavformat.so.52 -> ../libavformat.so.52 ./usr/lib/chromium-browser/libavutil.so.50 -> ../libavutil.so.50 However, the package declares the folowing dependencies: Depends: [...] libavcodec52, libavformat52, [...] Note that the dependency on libavutil is missing! I strongly suspect that the package was built against the internal copy of ffmpeg, but the maintainers intend the package to be used against the system ffmpeg copy. This will not work, as chromium was developed and only tested with ffmpeg-mt, a fork available from here: http://gitorious.org/ffmpeg/ffmpeg-mt that fork tracks ffmpeg trunk, which is not intended to be released with squeeze, see bug #569727. Perhaps it could work (with or without adjustments) with the 0.6 version, which currently has a pre-release version in NEW, but this should really be discussed with chromium upstream. Moreover, the dependencies were surely not generated by dpkg-shlibsdeps, but manually written. Checking the buildlogs [1] would clarify this assumption, but for now, I have no other explanation why the dependency on libavutil was missed. For this reason, I'm raising the severity to 'Serious', but feel free to adjust this classification. [1] http://experimental.ftbfs.de/chromium-browser (unavailable at time of writing) -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87r5li97qo....@faui44a.informatik.uni-erlangen.de
