On Fri, May 13, 2016 at 01:13:34PM +0200, Sebastian Ramacher wrote:
> (Please CC me, I'm not subscribed.)
>
> Hi
>
> On 2016-05-02 20:46:37, Brian May wrote:
> > Raphael Hertzog <hertzog-8fiuurrzop0dnm+yrof...@public.gmane.org> writes:
> >
> > > There's also an alternate way to go forward... continue to support
> > > the current version with paid external help if needed.
> >
> > Starting to look like it will be a better approach. Have been attempting
> > to compile random dependancies manually, and so far only one of them has
> > successfully built - however even this package won't install (due to
> > missing ffmpeg).
> >
> > Most of the packages fail to build due to the dependancies not done yet,
> > however it looks like at least some of these packages that are failing
> > may not be easy to fix. Some of them I think are quite important too,
> > e.g. ffmpeg.
>
> As there was some talk in this thread about doing the transition to libav 11
> and
> it being simply a matter of rebuilding the reverse dependencies …
>
> libav/ffmpeg transitions never are. Most of the time the transition from one
> libav/ffmpeg version to another one comes with extensive API changes. Between
> wheezy and jessie there were the following transitions:
>
> * libav 0.8 -> libav 9
> * libav 9 -> libav 10
> * libav 10 -> libav 11
Agreed, that's not feasible all reverse deps of libav.
OTOH, libav 0.8 in wheezy LTS is not less insecure that it ever was in
the lifetime of wheezy standard. It's just that a lot of people have started
to really up the pace of security support in ffmpeg, which has now shown some
light in a previously murky part of the FLOSS ecosystem.
My recommendation would be to identify a few central apps and provide isolated
backports of those with a backport of libav from jessie in a way which makes
the co-installable with the versions in stock wheezy (e.g. an updated mplayer
for video playback and updated gstreamer for use in firefox) and state that
the security status of the others is only updated on a best effort basis.
Cheers,
Moritz
