Michael Stahl wrote:
> looks like both core Gnome apps and Qt5/KDE have apparently managed to
> grow dependencies on the toxic codecs.
The thing is, they both need only one or two of the offending codecs (not
necessarily the same ones). In the Plasma case, the dependency is kwin →
qt5-qtmultimedia → libgstphotography-1.0.so.0. If that were moved to a
dedicated subpackage, we would avoid dragging in the whole set.
But still, GStreamer upstream's approach of "oh, those plugins are bad,
don't use them, we don't care about their security" does not work at all.
People WILL end up installing them no matter what we do (even if we don't
package them at all, they will surely spring up in Copr/OBS/wherever), and
an attack can be as simple as visiting a web page. Upstream really needs to
audit ALL plugins for security.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
