Hi Sebastian,
On 01.10.2014 16:32, Sebastian Ramacher wrote:
On 2014-10-01 16:17:09, Andreas Cadhalpun wrote:
Package: chromium
Version: 37.0.2062.120-2
Severity: important
Tags: security, patch
Dear Maintainer,
chromium uses an embedded code copy of FFmpeg (third_party/ffmpeg in the
source directory) to compile libffmpegsumo.so, which is included in the
chromium binary package.
This is not allowed by Debian policy ยง 4.13 [1]:
"Debian packages should not make use of these convenience copies unless the
included package is explicitly intended to be used in this way.
If the included code is already in the Debian archive in the form of a
library, the Debian packaging should ensure that binary packages reference
the libraries already in Debian and the convenience copy is not used. If the
included code is not already in Debian, it should be packaged separately as
a prerequisite if possible."
As system FFmpeg libraries are now available, chromium should use them
instead of the embedded FFmpeg copy, because it makes fixing security bugs
easier.
Attached patch changes chromium's Debian packaging to use the system
libraries, including some patches to make this work:
* fix_for_system_ffmpeg.patch: Fixes a conceptual bug that made it
impossible to use the system FFmpeg libraries.
* ffmpeg_2.4.patch: Adapts chromium to the API differences between the
embedded copy and FFmpeg 2.4.
* fix_for_system_ffmpeg_ABI.patch: Fixes the ABI used by chromium to
match the system FFmpeg ABI.
Please apply this patch as soon as possible, because the freeze is coming
closer.
You might want to add here that ffmpeg is blocked from entering testing. See
#763148 and the blocks from Julien Cristau and Niels Thykier.
I'm pretty sure that the maintainer of chromium, Michael Gilbert, knows
this very well, because he is a member of the security team and thus was
CC'ed on the complete discussion with the release team. So he also knows
about the suggestion of the release team member Andreas Barth to replace
the internal code copy in chromium by a reference to FFmpeg and that the
possibility of this probably leads to a re-evalutation of the migration
block [1].
Best regards,
Andreas
1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763148#27
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
