On 29.04.2015 12:28, Emilio Pozuelo Monfort wrote: > On 29/04/15 10:41, Bálint Réczey wrote: >> 2015-04-29 9:44 GMT+02:00 Emilio Pozuelo Monfort <po...@debian.org>: >>> On 27/04/15 00:30, Andreas Cadhalpun wrote: >>>> On 27.04.2015 00:01, Emilio Pozuelo Monfort wrote: >>>>> On 26/04/15 19:06, Andreas Cadhalpun wrote: >>>>>> Dear release team, >>>>>> >>>>>> as you undoubtedly know: jessie has been released! \o/ >>>>>> >>>>>> Thus this bug is now obsolete and I'm closing it. >>>>>> >>>>>> Please remove the testing migration block of ffmpeg. >>>>> >>>>> I don't think you understand the problem. >>>>> >>>>> Having both ffmpeg and libav in the same release is the problem. >>>> >>>> But having mysql-5.5 and mariadb-10.0 in jessie is apparently no >>>> problem, despite previous claims. What's the difference?
It would really be nice to get an answer for this question. >>>>> So at this moment, that "block" hint is not going to be removed. >>>> >>>> When will it be removed, if not now? >>>> >>>> Previously Moritz Mühlenhoff wrote [1]: >>>> "After the jessie release a decision between libav and ffmpeg will need >>>> to be made. It certainly possible to have them co-exist for a year or >>>> so, but the decision needs to be made before the jessie+1 freeze." >>>> >>>> How do you think this should go forward? >>> >>> You could ask the TC to decide between the two. As it happened with #717076 >>> for >>> example. The TC is only a last resort, used when the normal processes fail. It would be much better if they would work. Therefore I'm planning to discuss a possible transition from Libav to FFmpeg with the maintainers of the reverse dependencies, before asking the TC for a resolution. However this will take time and I don't see any reason to block ffmpeg from testing during this time. It could be removed again before stretch is released, should that prove necessary. >> There is no need to ask TC (yet), it is blocked by Julien: >> https://release.debian.org/britney/hints/jcristau >> >> Dear Julien, >> >> Could you please lift the unblock now since Jessie has been released >> and we generally don't ban packages from entering testing based on >> duplicate functionality? > > Sigh. This has been said multiple times, but I'll explain it again. > > We do block stuff based on security concerns. > > Since there are concerns on shipping both libav and ffmpeg, Just for your information: I'm currently in the process of finding and fixing FFmpeg's remaining potentially security relevant bugs by systematically fuzzing its demuxers/decoders with afl [1]. Once that's done (hopefully in the not too far future) security concerns regarding FFmpeg should become more or less void. And anyway, as far as I know, the only security support for testing comes through unstable. So it's not like having FFmpeg in testing would increase the workload of the security team. > we won't allow > ffmpeg unless it is chosen to be the default and there is a clear transition > plan, so that we can switch from one to the other. Only then will the block > hint > be removed. > > Hope that is clear. Let me take your example of libjpeg-turbo: It has been in testing, when the TC bug #717076 [2] was filed and during the year the decision was debated there, except for a short time, were it was removed due to concrete unfixed security issues [3]. It is not clear to me, why a similar treatment should not be possible for ffmpeg. Best regards, Andreas 1: https://tracker.debian.org/pkg/afl BTW: Thanks to Jakub Wilk for packaging afl! 2: https://bugs.debian.org/717076 3: https://bugs.debian.org/729873 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
