The upstream chain for fdk-aac-free is precarious. The Debian package fdk-aac-free watches https://gitlab.freedesktop.org/wtaymans/fdk-aac-stripped/ This version specifically removes the HE (High Efficiency) and HEv2 profiles which have patent concerns (see README.fedora).
This version does not regularly sync from upstream: https://sourceforge.net/projects/opencore-amr/ Note that https://github.com/mstorsjo/fdk-aac is a downstream of Fraunhofer's code distributed on https://android.googlesource.com/platform/external/aac Jorge has reported a potential vulnerability to https://github.com/mstorsjo/fdk-aac/issues/167 and to Android's VRP. Android responded saying that they require a PoC and directed Jorge to https://bughunters.google.com/learn/invalid-reports/android- platform/5148417640366080/bugs-with-negligible-security- impact#unreachable-bugs fdk-aac-free is not being maintained by syncing with upstream which may contain security patches. Reporting issues about fdk-aac has so far been fruitless. Security could conclude our MIR now, but I suggest that fdk-aac-free is reviewed next cycle if the owning team plans to work with fdk-aac-free. Note that Fedora is also invested in fdk-aac-free and may share concerns if made aware. Side note: iiuc, the advantage of fdk-aac is that it works well on low resource systems, like cell phones and possibly for remote desktop. This advantage may not exist if HE profiles are stripped. If that is the case, there are aac alternatives. ** Bug watch added: github.com/mstorsjo/fdk-aac/issues #167 https://github.com/mstorsjo/fdk-aac/issues/167 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1977614 Title: [MIR] fdk-aac-free To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
