On lun, mag 18, 2015 at 01:47:25 +0100, Alessio Treglia wrote: > Ciao Alessandro, > > and thanks for sharing your thoughts, it's genuinely appreciated. > > On Mon, May 18, 2015 at 1:26 PM, Alessandro Ghedini <gh...@debian.org> wrote: > > And it's already clear that libav just doesn't provide enough security > > coverage, > > Can you please elaborate? AFAICS the versions in oldstable (0.8.17) > and stable (11.3) are actively maintained upstream. > Honestly that looks quite enough of security support.
The security tracker lists three vulnerabilities that don't have patches in libav.git (but are fixed in ffmpeg in sid): https://security-tracker.debian.org/tracker/source-package/libav ffmpeg also provides a helpful security page that associates CVE ids with git commits for easy cherry-picking (libav doesn't do this): http://ffmpeg.org/security.html Plus see what Moritz (from the Security team) said about ffmpeg security responses (Andreas already mentioned this, but I think it's relevant here as well): > I think ffmpeg is doing better in terms of handling security issues; when > I contacted Michael Niedermeyer in private we has always quick to reply, > while libav-security@ seems understaffed: Several queries in the past needed > additional poking, some were left unaddressed until today. Also, the Google > fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg. https://lists.debian.org/debian-devel/2014/08/msg00060.html > > I'm implying that users have been asking for what they need (ffmpeg) for a > > long > > time, and Debian isn't providing it. > > Well, that is an alleged opinion, not fact. Conversely libav backers > couldn't say that "we are giving the users all what they really really > want and need". > So please let's all just refrain from taking this as we're 100% to > have joined the battle on the right side ;) Fair enough. I was trying to understand Jonas' point of view but I may have been carried away at times, sorry about that everyone. Cheers
signature.asc
Description: Digital signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
