[FFmpeg-devel] Reintroducing FFmpeg to Debian

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sun Aug 17 13:41:10 CEST 2014


Hi Russ,

On 16.08.2014 18:33, Russ Allbery wrote:
> All the renaming and cordial co-existence in the world won't change this.
> The things that would change this is for one or both projects to develop a
> better security track record and a history of higher-quality code releases
> that require less ongoing work in stable,

Let's just have a look at FFmpeg's security track record.
The easiest way I found to do this quantitatively, is to count the CVEs 
on FFmpegs security page [1] per year.

2011: 39
2012: 55
2013: 66

This indeed looks bad and even getting worse. But don't forget that e.g. 
in 2012 the systematic fuzzing by Jurczyk and Coldwind began.

By now, more than half of 2014 is over and so far only 5 CVEs [3] have 
been fixed in FFmpeg this year.
I must admit that I'm no security expert, but I think this shows that 
FFmpeg's security has improved a lot.

> or for the people who care
> deeply about this to somehow find a way to relieve the impact on those
> teams in some way acceptable to those teams.

Michael Niedermayer already volunteered to help with all security 
related problems of FFmpeg in Debian.
So what should he do to relieve the impact on the security and release 
teams?

> Short of that, there's clearly a need for software of this type in Debian,
> and at the same time it's clearly a ton of work.  The teams involved have
> indicated that they're willing (if not necessarily happy) to deal with one
> version of the source base, but not two.

This still confuses me, because apparently nobody has a problem with 
having three binary compatible MySQL variants in Debian:
MySQL, MariaDB and PerconaDB [4]

Best regards,
Andreas


1: https://ffmpeg.org/security.html
2: http://j00ru.vexillium.org/?p=2211
3: The security page shows 6 CVEs, but CVE-2014-4609 and CVE-2014-4610
    are the same, once reported for Libav and once for FFmpeg.
4: https://lists.debian.org/debian-devel/2014/08/msg00016.html


More information about the ffmpeg-devel mailing list