Hi Josselin,
On 31.07.2014 21:54, Josselin Mouette wrote:
Le mercredi 30 juillet 2014 à 00:39 +0200, Andreas Cadhalpun a écrit :
I must have failed to make my point again. :(
No, you are the one who misunderstands the point.
Thanks for sharing your opinion.
As far as I know there are hundreds of security updates (for all
packages together) in the lifetime of a stable release. Compared to that
10 is not large. And, as I already mentioned, I think that some of the
FFmpeg updates are minor enough to go through stable-updates.
No FFmpeg security update is “minor”.
While it's hard to proof your statement, I agree that most of the FFmpeg
security fixes should not be considered minor.
Still not every FFmpeg update (note that the word 'security' is absent
here) fixes a severe security issue. Some contain only regression fixes.
For example in the 2.2 release series, only 2.2.4 fixed a CVE, the other
four updates did not, so could have gone through stable-updates.
Almost each ffmpeg security bug is a code execution one. Almost each and
every one of them is hard to backport.
When making such a statement it is very helpful to explain how you came
to this conclusion.
For example, the last security fix (CVE-2014-4609) could be trivially
backported even to the 0.5 branch. (I did so myself.)
Those 10 security updates might represent more work than 100 *really*
minor security updates.
Even if it required a lot of work to backport the security fixes, that
work would be done by FFmpeg upstream anyway. The security team would at
most have to review the changes.
Best regards,
Andreas
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53daae09.3000...@googlemail.com
