Select provider of libav* libraries

Alessandro Ghedini ghedo at
Mon May 18 13:11:03 UTC 2015

On lun, mag 18, 2015 at 01:47:25 +0100, Alessio Treglia wrote:
> Ciao Alessandro,
> and thanks for sharing your thoughts, it's genuinely appreciated.
> On Mon, May 18, 2015 at 1:26 PM, Alessandro Ghedini <ghedo at> wrote:
> > And it's already clear that libav just doesn't provide enough security coverage,
> Can you please elaborate? AFAICS the versions in oldstable (0.8.17)
> and stable (11.3) are actively maintained upstream.
> Honestly that looks quite enough of security support.

The security tracker lists three vulnerabilities that don't have patches in
libav.git (but are fixed in ffmpeg in sid):

ffmpeg also provides a helpful security page that associates CVE ids with git
commits for easy cherry-picking (libav doesn't do this):

Plus see what Moritz (from the Security team) said about ffmpeg security
responses (Andreas already mentioned this, but I think it's relevant here as

> I think ffmpeg is doing better in terms of handling security issues; when
> I contacted Michael Niedermeyer in private we has always quick to reply,
> while libav-security@ seems understaffed: Several queries in the past needed
> additional poking, some were left unaddressed until today. Also, the Google 
> fuzzer guys stated that more samples are unfixed in libav compared to ffmpeg.

> > I'm implying that users have been asking for what they need (ffmpeg) for a long
> > time, and Debian isn't providing it.
> Well, that is an alleged opinion, not fact. Conversely libav backers
> couldn't say that "we are giving the users all what they really really
> want and need".
> So please let's all just refrain from taking this as we're 100% to
> have joined the battle on the right side ;)

Fair enough. I was trying to understand Jonas' point of view but I may have
been carried away at times, sorry about that everyone.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <>

More information about the pkg-multimedia-maintainers mailing list