Hi All, I have contacted Moritz asking him to share his opinion regarding FFmpeg/Libav. He is not on the list thus asked me to forward his email. Please see his answer inline.
2015-05-18 15:11 GMT+02:00 Alessandro Ghedini <gh...@debian.org>: > On lun, mag 18, 2015 at 01:47:25 +0100, Alessio Treglia wrote: >> Ciao Alessandro, >> >> and thanks for sharing your thoughts, it's genuinely appreciated. >> >> On Mon, May 18, 2015 at 1:26 PM, Alessandro Ghedini <gh...@debian.org> wrote: >> > And it's already clear that libav just doesn't provide enough security >> > coverage, >> >> Can you please elaborate? AFAICS the versions in oldstable (0.8.17) >> and stable (11.3) are actively maintained upstream. >> Honestly that looks quite enough of security support. > > The security tracker lists three vulnerabilities that don't have patches in > libav.git (but are fixed in ffmpeg in sid): > https://security-tracker.debian.org/tracker/source-package/libav > > ffmpeg also provides a helpful security page that associates CVE ids with git > commits for easy cherry-picking (libav doesn't do this): > http://ffmpeg.org/security.html > > Plus see what Moritz (from the Security team) said about ffmpeg security > responses (Andreas already mentioned this, but I think it's relevant here as > well): > >> I think ffmpeg is doing better in terms of handling security issues; when >> I contacted Michael Niedermeyer in private we has always quick to reply, >> while libav-security@ seems understaffed: Several queries in the past needed >> additional poking, some were left unaddressed until today. Also, the Google >> fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg. > > https://lists.debian.org/debian-devel/2014/08/msg00060.html 2015-05-24 12:44 GMT+02:00 Moritz Muehlenhoff <j...@inutil.org>: ... (part directed to me) > ------------------------------------- > What I wrote at https://lists.debian.org/debian-devel/2014/08/msg00060.html > effectively still holds: > > | I think ffmpeg is doing better in terms of handling security issues; when > | I contacted Michael Niedermeyer in private we has always quick to reply, > | while libav-security@ seems understaffed: Several queries in the past needed > | additional poking, some were left unaddressed until today. Also, the Google > | fuzzer guys stated that more samples are unfixed in libav compared to > ffmpeg. > > Several of the recently fixed libav security issues were only fixed because I > contacted Michael Niedermeyer for the reproducers and reproduced them with > libav git. There's no special Chrome test harness, all you need to do is > rebuild > libav with asan and exercise the reproducers. > libav doesn't do that on it's own which I find disappointing since ffmpeg is > obviously a fairly big part of their larger software ecosystem. This seems > to caused by two factors: > - lack of manpower in libav > - a general animosity > > Another factor in favour of ffmpeg is the support maintenance. As Andreas > quoted > the libav 0.8 branch we use in wheezy will be EOLed soon. ffmpeg in contrast > even made updates to the 0.5 branch in November (i.e. the version in squeeze) > > So summarising my personal perspective from being in the security team: We > could > live with either solution, but by now I personally have a preference towards > ffmpeg > with the lack of manpower in libav being the decisive factor. > > Also as a user of mpv in jessie I find the lack of external vobsub parsing > support rather annoying. It's a frequent issue I personally run into (as a > workaround > mplayer2 can be used, but that's not ideal). > ------------------------------------- > Cheers, Balint _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
