Andreas Cadhalpun <andreas.cadhal...@googlemail.com> writes: > I must have failed to make my point again. :( > As far as I know there are hundreds of security updates (for all packages > together) in the lifetime of a stable release. Compared to that 10 is not > large. And, as I already mentioned, I think that some of the FFmpeg > updates are minor enough to go through stable-updates.
> It doesn't make a software less secure, if (even minor) security fixes get > backported even to old release branches, rather the contrary. Well... backporting security fixes more of a bare minimum -- that's just something that has to happen if we're going to support the software at all, with a handful of exceptions where the software is, for one reason or another, important enough that we're willing to release with it even though security patches aren't backported properly and then terminate support in the middle of our normal stable process. But software should also not pose a significant security load in the first place. That quantity of security vulnerabilities tells me that something is deeply wrong with FFmpeg as an upstream source base. That's a sign of code with a bad smell. Now, that doesn't necessarily mean that it doesn't belong in Debian. Sometimes we have to hold our nose and live with that, and it sounds like libav isn't necessarily a lot better. But those are really painful statistics that, to me at least, indicate the world is crying out for a replacement code base that accomplishes the same goals but was written with a higher level of quality in mind. Obviously easier said than done, of course. Is upstream aware that this is a really bad track record and trying to do something proactive to increase the quality of the code, like comprehensive auditing, or proactive rewrites to use more secure coding practices such as some of the work that the LibreSSL team has been doing? I'm sympathetic to the concerns of the security team and the release team about supporting two code bases with this much security activity in a stable release. Maybe it's still the right thing to do, but that's a lot of work for them. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87a97rhj3k....@windlord.stanford.edu
