On 28 July 2014 15:05, Andreas Cadhalpun <andreas.cadhal...@googlemail.com> wrote: > On 28.07.2014 13:52, Henrique de Moraes Holschuh wrote: >> >> On Mon, 28 Jul 2014, Norbert Preining wrote: >>> >>> On Sun, 27 Jul 2014, Reinhard Tartler wrote: >>>> >>>> In [1], Moritz from the security team clearly stated that he is more >>>> than uncomfortable with having more than one copy of libavcodec in >>>> debian/testing. In consequence this means that any package that builds >>>> >>>> against the ffmpeg packages currently in NEW won't make it into >>>> testing either. I am therefore surprised about the given answer to the >>> >>> >>> "More than uncomfortable" does not mean "will not be included" >> >> >> Yes, it does. >> >> Someone will have to convince the security team somehow, likely by >> offering >> to do the work themselves _and_ convincing them that these new members >> will >> be around for long enough. > > > Michael Niedermayer from FFmpeg upstream volunteered "to help with any > future security issues in FFmpeg packages in debian" [1]. > >> However: >> >> The change in Debian-specific symbol versioning and sonames being done to >> ffmpeg so that it is co-installable with libav *is* a problem. >> >> It has to be done in coordination with the Canonical guys, so that both >> Debian and Ubuntu do the same thing re. ffmpeg sonames and symbol >> versioning. Otherwise, the ffmpeg packages will be of very limited use >> (useless to run third-party binary-only games ;-p). > > > I don't think coordination with Ubuntu will be a problem. > In comment #7 in the corresponding bug at launchpad [2] Dimitri John Ledkov > wrote that Ubuntu won't introduce FFmpeg on it's on, but instead: > "If you wish to see a supported ffmpeg stack in both Debian and Ubuntu, > please become a developer and start maintaining it in Debian."
I don't have an opinion about ffmpeg vs libav, apart from how hard the soname transitions are, especially in ubuntu where we somehow ended up with ex-multimedia packages around that either never were in debian, or have been long removed from testing and/or unstable. Thankfully, we have worked to make sure libav is in universe only and thus is not a security maintenance burden. Nonetheless, libav10 transition is still not complete in utopic today. I haven't checked, but now abi compatible/incompatible the two stacks are? cause it would be a pain if they are not drop in replacements, and it would also be a pain if higher up packages link-in both ffmpeg & libav and some clashing symbols are present... and people start requesting to have build variants against both. Has a rebuild of all deps been done? How many build failures there are? (On both debian & ubuntu, ideally) Is hardening flags / toolchain enabled in both, or either of the two? -- Regards, Dimitri. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/canbhluhhhjz7fk26we2qf1h2ss5ynfahwzqx8lfz7wbxsbk...@mail.gmail.com
