Ivan Kalvachev <ikalvac...@gmail.com> writes: > I'm quite sure the Security team is full of capable people who can > handle one more package.
One, no, this statement is not correct. Not because the security team is not capable -- they are very capable -- but because they are not *full*. You imply that the security team has tons of resources and time to spare. Let me assure you that this is far from the case. This isn't even the case for security teams consisting of full-time staff paid by commercial Linux distributions, let alone volunteers for the Debian project. Two, the security team has already said that FFmpeg is not just "one more package," and that no, they can't handle the substantial incremental load from adding FFmpeg without removing libav. You may not think that should be the case, but I'm afraid your opinion on the topic doesn't matter unless you're finding a way to either reduce that work or add more resources. > FFmpeg takes security seriously. I'm sure that it does. The problem, however, is that taking security seriously, while possibly necessary, is not sufficient. I'm glad that FFmpeg takes security seriously, but what FFmpeg needs is to *have fewer security bugs*. This isn't about anyone's good intentions. It's about the reality of past, very negative experience with FFmpeg's security track record. It's clear that efforts are underway to improve that, such as through the fuzz testing work that Google (among others) has been doing. That's great, but I'm sure you can also understand that the past track record has been sufficiently bad that everyone will continue to be leery for a while. To change that impression, FFmpeg is going to have to substantially improve on its past security track record and then *maintain* that new level of security for some period of time. Note that all of the above statements also apply to libav. As near as I can tell, this is not a distinguishing characteristic between the two projects. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fvgw9s6v....@hope.eyrie.org
