[FFmpeg-devel] Reintroducing FFmpeg to Debian
andreas.cadhalpun at googlemail.com
Sun Aug 17 13:41:10 CEST 2014
On 16.08.2014 18:33, Russ Allbery wrote:
> All the renaming and cordial co-existence in the world won't change this.
> The things that would change this is for one or both projects to develop a
> better security track record and a history of higher-quality code releases
> that require less ongoing work in stable,
Let's just have a look at FFmpeg's security track record.
The easiest way I found to do this quantitatively, is to count the CVEs
on FFmpegs security page  per year.
This indeed looks bad and even getting worse. But don't forget that e.g.
in 2012 the systematic fuzzing by Jurczyk and Coldwind began.
By now, more than half of 2014 is over and so far only 5 CVEs  have
been fixed in FFmpeg this year.
I must admit that I'm no security expert, but I think this shows that
FFmpeg's security has improved a lot.
> or for the people who care
> deeply about this to somehow find a way to relieve the impact on those
> teams in some way acceptable to those teams.
Michael Niedermayer already volunteered to help with all security
related problems of FFmpeg in Debian.
So what should he do to relieve the impact on the security and release
> Short of that, there's clearly a need for software of this type in Debian,
> and at the same time it's clearly a ton of work. The teams involved have
> indicated that they're willing (if not necessarily happy) to deal with one
> version of the source base, but not two.
This still confuses me, because apparently nobody has a problem with
having three binary compatible MySQL variants in Debian:
MySQL, MariaDB and PerconaDB 
3: The security page shows 6 CVEs, but CVE-2014-4609 and CVE-2014-4610
are the same, once reported for Libav and once for FFmpeg.
More information about the ffmpeg-devel