Le jeudi 07 décembre 2006 à 11:30 +0100, Loïc Minier a écrit : > It's nice that you're concerned by this state of fact, but this is > nothing new, and was already discussed multiple times. I actually > already discussed this since months with 1) Debian users 2) upstream 3) > the ffmpeg maintainer 4) the security team. > If you truly want to unlock this situation, subscribe to the upstream > bug on the subject, and update your patch to be acceptable upstream.
By hiding behind upstream, you're simply refusing to fix the problem. The patch is a hack that is only guaranteed to work on a Debian system, and upstream will refuse it until it is done in a proper way. This is not how things work. Forwarding fixes upstream is important but it doesn't come before fixing the Debian bug. > > As the situation is very similar in mplayer, mplayer is considered > > RC-buggy by the security team. There was an exception for > > gstreamer-ffmpeg because it was considered too difficult to fix, but I > > don't think this is justified and this should be considered > > release-critical as well. > > Again, nothing new. As you state yourself, this was already discussed > and an exception was granted. Beside, you miss the important point > that gst-ffmpeg heavily patches (read: "replaces") the ffmpeg build > system, wihle mplayer has a close-to-vanilla ffmpeg tree. The exception was granted because of this assumption, which is *entirely wrong*, as gst-ffmpeg ships a vanilla ffmpeg tree. It took me less than one hour to figure it out and to build a working package with the Debian ffmpeg library. > "Dropping GStreamer 0.8 for etch" is not "building gst-ffmpeg against > Debian's ffmpeg"; any of these changes can be achieved in whatever > order, these are orthogonal, even if both would help security support > (in a different way). As I'm not considering building gst-ffmpeg > against ffmpeg for etch, I kindly suggest we let this subthread die or > be continued in the upstream bug report where it would be more useful. As the security people are the ones being really affected, I would like to have Moritz' input on this matter. Are you ready to grant an exception to gstreamer-ffmpeg and not to mplayer while the situation of both packages is strictly identical? -- Josselin Mouette /\./\ "Do you have any more insane proposals for me?"
