Andreas Cadhalpun <andreas.cadhal...@googlemail.com> writes: > Given the amount of software in Debian and thus the amount of security > fixes necessary for a stable release, I think that the additional > stable-security uploads for FFmpeg in the order of 10 per release will > be hardly noticeable.
Er, 8 security updates over the course of a stable release is already very high. Wouldn't adding another 10 make that the least secure source package in Debian? I believe that's worse than web browsers, which have a very large attack surface and huge numbers of active and well-funded attackers. And this is just for a multimedia library. I suppose it depends on how many of those could be grouped into one update, and each Iceweasel update usually has multiple fixed CVEs, so maybe this isn't an entirely fair comparison. But still, those are jaw-dropping numbers. > While I understand and agree with the general idea of reducing code > duplication, I have a really hard time trying to understand why the > security team has such a strong opposition to the idea of having both > FFmpeg and Libav in Debian stable. Because the sorts of numbers that you're talking about indicate that this code is a complete security disaster. > What is particularly hard for me to understand is why e.g. MySQL and > MariaDB can be in testing at the same time without much resistance from > the security team, but FFmpeg and Libav can apparently not. MySQL is already a security update problem due to Oracle's very unhelpful attitude towards security patches. And we're still talking about rather fewer security vulnerabilities than this, I believe. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ppgnhmym....@windlord.stanford.edu