Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > On Wed, May 28 2025 at 03:19:49 PM -05:00:00, Chris Adams > <li...@cmadams.net> wrote: > >So it's been another month and this still isn't resolved. I know > >people > >on the Fedora side have been trying (don't want to complain about > >effort). But if Fedora can't reliably get timely updates to a package > >that has high security implications, it should NOT be enabled by > >default, or even shipped by Fedora at all. > > Well you're not wrong. The risk level here is considerable. > > But without this package, users can't play videos, and there's > nothing we can do about that other than point to RPM Fusion and hope > they can figure out how to get what they need from there, which is > not easy. So the consequences of dropping it are also considerable. > Rock and hard place and all that.
This package is for playing one particular encoding of videos (and only certain profiles of that encoding from what I understand). There's also nothing preventing Fedora from pointing users to Cisco's site to get their provided binaries. There are always decisions between security and convenience, and Fedora has typically gone for security (e.g. things like continually raising the crypto policies). Leaving desktop users open to a high-rated CVE for three months (and counting), in the name of convenience, is rather bad IMHO. -- Chris Adams <li...@cmadams.net> -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
