On Tue, Feb 25, 2014 at 11:33:33PM +0100, Moritz Muehlenhoff wrote: > On Tue, Feb 25, 2014 at 11:30:25PM +0100, Andreas Cadhalpun wrote: > > On 25.02.2014 22:18, Yves-Alexis Perez wrote: > >> On Tue, Feb 25, 2014 at 06:23:20PM +0100, Andreas Cadhalpun wrote: > >>>> No, it means I don't have the time, nor nerve to discuss this. We're > >>>> after all busy to keep Debian secure and sick of maintainers who only > >>>> focus on their pet package and neglegt the overall maintainability > >>>> of the Debian archive. > >>> > >>> While I always stated that I'm open to discussion, you just ended > >>> the discussion after trying to block FFmpeg from entering Debian, > >>> which I do not find very constructive. > >> > >> My feeling is that this was discussed over and over and Moritz is > >> /slighly/ tired of repeating the same thing over and over. And me > >> replying to this mail doesn't mean I'm willing to engage in a large > >> thread on this, the security team position has been given. > > > > My impression has been /slightly/ different: Moritz made dubious claims > > about FFmpeg: > > "We've looked into many security issues > > in ffmpeg which didn't affect libav, either because experimental > > code wasn't merged yet or because code was rewritten in libav and not > > affected. Also ffmpeg hasn't have long term branches which is a major > > benefit of libav." > > > > After I have questioned these, Moritz simply left the discussion. But > > maybe I didn't understand what Moritz wanted to say? > > Yes, it's the latter: I didn't badmouth ffmpeg in any way: it was said that > libav > fixed less Google fuzzer samples than libav; for which I added my observation > that when > I looked at several CVE assignments for ffmpeg fixes the affected code > didn't exist in libav releases and that explains the difference in numbers. > That doesn't mean that ffmpeg is worse than libav, it simply means that the > code has diverged and different code is affected.
I belive maybe some things are a bit mixed up here The "less fixes in libav" stuff was AFAIK a comparission between the libav and ffmpeg git master branches while libavs last release was based on git master of over a year ago. So please correct me if iam wrong, but i dont think that a comparission of libav from over a year ago against recent issues can serve as an explanation for differences in the 2 projects master branches [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Awnsering whenever a program halts or runs forever is On a turing machine, in general impossible (turings halting problem). On any real computer, always possible as a real computer has a finite number of states N, and will either halt in less than N cycles or never halt.
signature.asc
Description: Digital signature
