Hi Andreas, Thank you for a very good overview.
On Fri, 15 May 2015 16:55:30 Andreas Cadhalpun wrote: > FFmpeg is clearly better at fixing security issues. > To take a random example, an out of bounds read in the bink decoder was > fixed in FFmpeg three years ago [1], while Libav git master is still > vulnerable today. > [...] > Interestingly Gentoo recently switched to FFmpeg by default [3] after > conducting a survey [4]. About 300 people participated in that survey and > the outcome was rather clear: > 62% [ 189 ] "I prefer ffmpeg, and it should be the default." > 4% [ 15 ] "I prefer libav, and it should be the default." > [...] > > Maybe Moritz can elaborate on this. > > It seems he already did [11]: > "I think ffmpeg is doing better in terms of handling security issues; when > I contacted Michael Niedermeyer in private we has always quick to reply, > while libav-security@ seems understaffed: Several queries in the past needed > additional poking, some were left unaddressed until today. Also, the Google > fuzzer guys stated that more samples are unfixed in libav compared to > ffmpeg." > [...] > 3: http://thread.gmane.org/gmane.linux.gentoo.devel/95339/focus=95585 > 4: https://forums.gentoo.org/viewtopic-t-1010096.html > 11: https://lists.debian.org/debian-devel/2014/08/msg00060.html After the above I don't need any more evidence to support transition to ffmpeg. There are benefits of reducing differences from other distros who already uses ffmpeg. After all with ffmpeg we will benefit from better upstream support. IMHO if Moritz thinks that ffmpeg is better from security prospective it means that we don't have a case for libav any more. I am now convinced that it will be better for Debian to use ffmpeg. I also found an interesting comparison where "mpv" upstream shares their assessment of the problem: https://web.archive.org/web/20150115005029/https://github.com/mpv-player/mpv/wiki/FFmpeg-versus-Libav -- Best wishes, Dmitry Smirnov GPG key : 4096R/53968D1B --- It is a mistake to try to look too far ahead. The chain of destiny can only be grasped one link at a time. -- Winston Churchill
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ pkg-multimedia-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
