Hi Misaki, There's multiple interacting issues:
- ffmpeg is in universe; thus, many sites will not install it because they configure apt to only install packages from main. - imagemagick's insanely useful tools are used by hundreds or thousands of other applications. - openjpeg's upstream developers have made really impressive progress improving their code quality but it still appears to be a hobby / part time project rather than a production ready tool. At this point I'd probably even say openjpeg's quality is slightly better than imagemagick's quality. imagemagick is included in main because the effort to *remove* it from main would be substantial. Were imagemagick to be proposed as a new addition today it would not meet our quality expectations. However, I'm confident that at least some of the issues I've raised with openjpeg would allow for remote zero-interaction exploits of our desktop users if its code were properly exposed. It could be via attached images in emails being automatically thumbnailed, downloaded documents being automatically thumbnailed, etc. Perhaps album artwork on streaming music services. Probably not everything I've found is actually exploitable but I've flagged so many potential issues that it's entirely likely there's multiple paths to exploitation. The openjpeg team has come so far, it'd be a shame if they didn't cross the finish line at this point. (I also hope the imagemagick team can make similar strides, but hopefully everyone knows to run imagemagick commands in AppArmor profiles or SELinux policy by now.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/711061 Title: [MIR] openjpeg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/711061/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
