On Tue, 03 May 2016, Brian May wrote: > I have a suspicion that many of these installs may be due libav being > installed to satisfy dependancies. There are a large number of packages > that do depend on libav.
Yes, that's obvious, a library is usually installed by way of dependencies. But if you assume that people do not install packages that they do not need, they are likely using libav even though indirectly and they might be vulnerable to attacks. It's quite likely that the impact might be less severe than if they were using the library to processe remotely submitted data (and in which case one would hope that they would have told us about it) but we have no way to know that really. > Is it worth continuing with this? I believe it is worth at least investigating what kind of external support we can get and how much it will cost us, yes. Then we can decide whether we can afford it and whether it is worth its price. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
