On 2014-10-01 16:17:09, Andreas Cadhalpun wrote: > Package: chromium > Version: 37.0.2062.120-2 > Severity: important > Tags: security, patch > > Dear Maintainer, > > chromium uses an embedded code copy of FFmpeg (third_party/ffmpeg in the > source directory) to compile libffmpegsumo.so, which is included in the > chromium binary package. > > This is not allowed by Debian policy ยง 4.13 [1]: > "Debian packages should not make use of these convenience copies unless the > included package is explicitly intended to be used in this way. > If the included code is already in the Debian archive in the form of a > library, the Debian packaging should ensure that binary packages reference > the libraries already in Debian and the convenience copy is not used. If the > included code is not already in Debian, it should be packaged separately as > a prerequisite if possible." > > As system FFmpeg libraries are now available, chromium should use them > instead of the embedded FFmpeg copy, because it makes fixing security bugs > easier. > > Attached patch changes chromium's Debian packaging to use the system > libraries, including some patches to make this work: > * fix_for_system_ffmpeg.patch: Fixes a conceptual bug that made it > impossible to use the system FFmpeg libraries. > * ffmpeg_2.4.patch: Adapts chromium to the API differences between the > embedded copy and FFmpeg 2.4. > * fix_for_system_ffmpeg_ABI.patch: Fixes the ABI used by chromium to > match the system FFmpeg ABI. > > Please apply this patch as soon as possible, because the freeze is coming > closer.
You might want to add here that ffmpeg is blocked from entering testing. See #763148 and the blocks from Julien Cristau and Niels Thykier. Cheers -- Sebastian Ramacher
signature.asc
Description: Digital signature
