Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On 26.11.2011 09:54, zezinho wrote: Le samedi 26 novembre 2011 02:31:43, Anssi Hannula a écrit : About 75% of the crash issues fixed by the above 0.7 commits affect mga1 0.6.x, with a sample size of 70 commits. So maybe we should consider ffmpeg as Firefox : a software we must upgrade because upstream fixes security only in latest version. Unfortunately FFmpeg is much less 'stable' than firefox in both its dependencies and API across different series. Meaning that upgrade of FFmpeg often requires upgrade of libx264 (like in 0.6-0.7), or requires changes in software that uses FFmpeg (0.6-0.7 doesn't, however). The easy way out in this case could be upgrading FFmpeg 0.6-0.7 and x264 and doing extensive QA to avoid breakage. The hard way is backporting the ~200 relevant patches (most of which don't apply automatically). -- Anssi Hannula
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
26.11.2011 16:15, Anssi Hannula skrev: On 26.11.2011 09:54, zezinho wrote: Le samedi 26 novembre 2011 02:31:43, Anssi Hannula a écrit : About 75% of the crash issues fixed by the above 0.7 commits affect mga1 0.6.x, with a sample size of 70 commits. So maybe we should consider ffmpeg as Firefox : a software we must upgrade because upstream fixes security only in latest version. Unfortunately FFmpeg is much less 'stable' than firefox in both its dependencies and API across different series. Meaning that upgrade of FFmpeg often requires upgrade of libx264 (like in 0.6-0.7), or requires changes in software that uses FFmpeg (0.6-0.7 doesn't, however). The easy way out in this case could be upgrading FFmpeg 0.6-0.7 and x264 and doing extensive QA to avoid breakage. The hard way is backporting the ~200 relevant patches (most of which don't apply automatically). And you dont think upgrading to a new ffmpeg will bring new bugs and need for new fixes... We dont even have BR about those bugs in our bugzilla, so apparently they are not that important or not easy to hit. The real easy way is: just apply the 5 security fixes and be done with it. https://wiki.mageia.org/en/Updates_policy For the most part, an update should consist of a patched build of the same version of the package released with the distribution If we start the look at upstream, there are X number of fixes not in our package, where does it end ?? We will soon have to do it for every package, and that is Cauldron or a rolling release, not really a stable release. And we dont have the manpower in QA to start a updating frenzy like this. The point is simple: software _always_ have bugs. Thats a fact. upgrading from one version to another does not only fix bugs, it's also replacing old bugs with new ones -- Thomas
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On 26.11.2011 16:47, Thomas Backlund wrote: 26.11.2011 16:15, Anssi Hannula skrev: On 26.11.2011 09:54, zezinho wrote: Le samedi 26 novembre 2011 02:31:43, Anssi Hannula a écrit : About 75% of the crash issues fixed by the above 0.7 commits affect mga1 0.6.x, with a sample size of 70 commits. So maybe we should consider ffmpeg as Firefox : a software we must upgrade because upstream fixes security only in latest version. Unfortunately FFmpeg is much less 'stable' than firefox in both its dependencies and API across different series. Meaning that upgrade of FFmpeg often requires upgrade of libx264 (like in 0.6-0.7), or requires changes in software that uses FFmpeg (0.6-0.7 doesn't, however). The easy way out in this case could be upgrading FFmpeg 0.6-0.7 and x264 and doing extensive QA to avoid breakage. The hard way is backporting the ~200 relevant patches (most of which don't apply automatically). And you dont think upgrading to a new ffmpeg will bring new bugs and need for new fixes... Hence the quotes around easy and hard. We dont even have BR about those bugs in our bugzilla, so apparently they are not that important or not easy to hit. The real easy way is: just apply the 5 security fixes and be done with it. https://wiki.mageia.org/en/Updates_policy For the most part, an update should consist of a patched build of the same version of the package released with the distribution If we start the look at upstream, there are X number of fixes not in our package, where does it end ?? We will soon have to do it for every package, and that is Cauldron or a rolling release, not really a stable release. Obviously only security fixes are relevant. And we dont have the manpower in QA to start a updating frenzy like this. The point is simple: software _always_ have bugs. Thats a fact. upgrading from one version to another does not only fix bugs, it's also replacing old bugs with new ones (BTW, I wasn't advocating upgrading FFmpeg 0.6-0.7, though admittedly my post was badly worded so it might've looked like I was) -- Anssi Hannula
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
David W. Hodgins skrev 25.11.2011 01:21: On Thu, 24 Nov 2011 10:53:07 -0500, D.Morgandmorga...@gmail.com wrote: On Thu, Nov 24, 2011 at 1:58 PM, Thomas Backlundt...@mageia.org wrote: Philippe DIDIER skrev 24.11.2011 14:52: - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA ! Absolutely not an option But how many packages are affected ? urpmq --whatrequires-recursive ffmpeg|sort -u 2mandvd clipgrab ffmpeg ffmpegthumbs kdenlive kino kino-devel kmediafactory konvertible luciole mythtv-plugin-archive Might be worth considering, depending on how difficult it is to port the security patch back to the current version. As I pointed out in the bugreport, there are 5 simple patches to apply. -- Thomas
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Anssi Hannula skrev 25.11.2011 01:40: BTW, if you look at http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/release/0.7 you'll notice the the security issues mentioned here are just a tip of the iceberg, since there are hundreds of commits fixing buffer overflows and other similar issues in various codecs in the 0.7 stable branch alone. True. But many of the bugs they fix could also have been introduced in the 0.7 branch. -- Thomas
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On 25.11.2011 12:42, Thomas Backlund wrote: Anssi Hannula skrev 25.11.2011 01:40: BTW, if you look at http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/release/0.7 you'll notice the the security issues mentioned here are just a tip of the iceberg, since there are hundreds of commits fixing buffer overflows and other similar issues in various codecs in the 0.7 stable branch alone. True. But many of the bugs they fix could also have been introduced in the 0.7 branch. About 75% of the crash issues fixed by the above 0.7 commits affect mga1 0.6.x, with a sample size of 70 commits. -- Anssi Hannula
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Le samedi 26 novembre 2011 02:31:43, Anssi Hannula a écrit : About 75% of the crash issues fixed by the above 0.7 commits affect mga1 0.6.x, with a sample size of 70 commits. So maybe we should consider ffmpeg as Firefox : a software we must upgrade because upstream fixes security only in latest version.
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Yes, new x264 introduces new libmajor, which requires a mass rebuilding of other packages. 2011/11/24 Philippe DIDIER philippedid...@laposte.net: To Funda : you modified the spec file of ffmpeg : disable x264 support as x264 is too old in mageia 1 This may induce a regression (a missing feature) Why not to update libx264 before updating ffmpeg, and by this way allow to keep x264 support enabled ? Is there a problem for other programs depending on libx264 if you update it ? (need to rebuild them ?) Regards Philippe
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Funda Wang skrev 24.11.2011 14:26: Yes, new x264 introduces new libmajor, which requires a mass rebuilding of other packages. Then the ffmpeg update must be fixed. Either only backport the needed fixes, or fix the build with current x264. It's not allowed to push updates that breaks/disables current features. This is _exactly_ why we have the policy to backport fixes and not blindly update to newer versions. -- Thomas 2011/11/24 Philippe DIDIERphilippedid...@laposte.net: To Funda : you modified the spec file of ffmpeg : disable x264 support as x264 is too old in mageia 1 This may induce a regression (a missing feature) Why not to update libx264 before updating ffmpeg, and by this way allow to keep x264 support enabled ? Is there a problem for other programs depending on libx264 if you update it ? (need to rebuild them ?) Regards Philippe
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Funda Wang a écrit : Yes, new x264 introduces new libmajor, which requires a mass rebuilding of other packages. 2011/11/24 Philippe DIDIER philippedid...@laposte.net: To Funda : you modified the spec file of ffmpeg : disable x264 support as x264 is too old in mageia 1 This may induce a regression (a missing feature) Why not to update libx264 before updating ffmpeg, and by this way allow to keep x264 support enabled ? Is there a problem for other programs depending on libx264 if you update it ? (need to rebuild them ?) Regards Philippe heavy dilemma ! heavy choice ! - let ffmpeg not updated (with x264 support but with security problem) - update ffmpeg disabling x264 support - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA !
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
Philippe DIDIER skrev 24.11.2011 14:52: heavy dilemma ! heavy choice ! - let ffmpeg not updated (with x264 support but with security problem) The proper thing is to identify the needed fixes and backport them. - update ffmpeg disabling x264 support not an option - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA ! Absolutely not an option -- Thomas
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On Thu, Nov 24, 2011 at 1:58 PM, Thomas Backlund t...@mageia.org wrote: Philippe DIDIER skrev 24.11.2011 14:52: heavy dilemma ! heavy choice ! - let ffmpeg not updated (with x264 support but with security problem) The proper thing is to identify the needed fixes and backport them. - update ffmpeg disabling x264 support not an option - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA ! Absolutely not an option But how many packages are affected ?
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On Thu, 24 Nov 2011 10:53:07 -0500, D.Morgan dmorga...@gmail.com wrote: On Thu, Nov 24, 2011 at 1:58 PM, Thomas Backlund t...@mageia.org wrote: Philippe DIDIER skrev 24.11.2011 14:52: - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA ! Absolutely not an option But how many packages are affected ? urpmq --whatrequires-recursive ffmpeg|sort -u 2mandvd clipgrab ffmpeg ffmpegthumbs kdenlive kino kino-devel kmediafactory konvertible luciole mythtv-plugin-archive Might be worth considering, depending on how difficult it is to port the security patch back to the current version. Regards, Dave Hodgins
Re: [Mageia-dev] ffmpeg in mageia1 updates testing (revision 171164)
On 24.11.2011 17:53, D.Morgan wrote: On Thu, Nov 24, 2011 at 1:58 PM, Thomas Backlund t...@mageia.org wrote: Philippe DIDIER skrev 24.11.2011 14:52: heavy dilemma ! heavy choice ! - let ffmpeg not updated (with x264 support but with security problem) The proper thing is to identify the needed fixes and backport them. - update ffmpeg disabling x264 support not an option - update ffmpeg keeping x264 support but need to rebuild mass of packages (not alone ) and provide lots of updated rpms to QA ! Absolutely not an option But how many packages are affected ? BTW, if you look at http://git.videolan.org/?p=ffmpeg.git;a=shortlog;h=refs/heads/release/0.7 you'll notice the the security issues mentioned here are just a tip of the iceberg, since there are hundreds of commits fixing buffer overflows and other similar issues in various codecs in the 0.7 stable branch alone. -- Anssi Hannula